diff options
| -rw-r--r-- | roles/MSA/files/etc/postfix/anonymize_sender.pcre | 3 | ||||
| -rw-r--r-- | roles/MSA/templates/etc/postfix/main.cf.j2 | 6 | ||||
| -rw-r--r-- | roles/common/templates/etc/postfix/master.cf.j2 | 2 |
3 files changed, 5 insertions, 6 deletions
diff --git a/roles/MSA/files/etc/postfix/anonymize_sender.pcre b/roles/MSA/files/etc/postfix/anonymize_sender.pcre index 7c11f4e..162e6c1 100644 --- a/roles/MSA/files/etc/postfix/anonymize_sender.pcre +++ b/roles/MSA/files/etc/postfix/anonymize_sender.pcre @@ -1,7 +1,8 @@ /^Received:\s+from\s+(?:\S+\s+\(\S+\s+\[(?:IPv6:)?[[:xdigit:].:]{3,39}\]\)) - (\s+\(using\s+(?:TLS|SSL)(?:v\S+)?\s+with\s+cipher\s+\S+\s+\(\S+\s+bits\)\)\s+).* + (\s+\(using\s+(?:TLS|SSL)(?:v\S+)?\s+with\s+cipher\s+\S+\s+\(\S+\s+bits\) + (?:\s+key-exchange\s+\S+\s+(?:\([^)]+\)\s+)?server-signature\s+\S+\s+\(\d+\s+bits\)\s+server-digest\s+\S+)?\)\s+).* (\bby\s+(?:\S+\.)?fripost\.org\s+\([^)]+\) \s+with\s+E?SMTPS?A\s+id\s+[[:xdigit:]]+;?\s.*)/x REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${1}${2} /^X-Originating-IP:/ IGNORE diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 index 65a0339..a435b0f 100644 --- a/roles/MSA/templates/etc/postfix/main.cf.j2 +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -43,48 +43,48 @@ recipient_delimiter = + relayhost = [{{ postfix_instance.out.addr | ipaddr }}]:{{ postfix_instance.out.port }} relay_domains = # Don't rewrite remote headers local_header_rewrite_clients = # Avoid splitting the envelope and scanning messages multiple times smtp_destination_recipient_limit = 1000 # Tolerate occasional high latency smtp_data_done_timeout = 1200s policyd-spf_time_limit = $ipc_timeout # Anonymize the (authenticated) sender; pass the mail to the antivirus header_checks = pcre:$config_directory/anonymize_sender.pcre #content_filter = amavisfeed:unix:public/amavisfeed-antivirus # TLS smtp_tls_security_level = none smtpd_tls_security_level = encrypt -smtpd_tls_ciphers = high -smtpd_tls_protocols = !SSLv2, !SSLv3 -smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 +smtpd_tls_mandatory_ciphers = high +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_cert_file = $config_directory/ssl/smtp.fripost.org.pem smtpd_tls_key_file = $config_directory/ssl/smtp.fripost.org.key smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem smtpd_tls_session_cache_database= smtpd_tls_received_header = yes +tls_high_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 # SASL smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_type = dovecot smtpd_sasl_path = unix:private/dovecot-auth strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes address_verify_sender = $double_bounce_sender@noreply.$mydomain address_verify_poll_count = 3 address_verify_relayhost = diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2 index 65ca2b6..f199ed0 100644 --- a/roles/common/templates/etc/postfix/master.cf.j2 +++ b/roles/common/templates/etc/postfix/master.cf.j2 @@ -2,44 +2,42 @@ # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # {{ ansible_managed }} # Do NOT edit this file directly! # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== {% if inst is not defined %} [127.0.0.1]:16132 inet n - y - - smtpd {% elif inst == 'MX' %} smtpd pass - - y - - smtpd smtp inet n - y - 1 postscreen tlsproxy unix - - y - 0 tlsproxy dnsblog unix - - y - 0 dnsblog {% elif inst == 'MSA' %} submission inet n - y - - smtpd - -o tls_high_cipherlist=EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL submissions inet n - y - - smtpd -o smtpd_tls_wrappermode=yes - -o tls_high_cipherlist=EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL {% if groups.webmail | difference([inventory_hostname]) | length > 0 %} [{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n - y - - smtpd -o broken_sasl_auth_clients=no -o smtpd_tls_security_level=none -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_exceptions_networks= -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }} -o smtpd_peername_lookup=no {% endif %} {% elif inst in ['IMAP', 'out', 'lists'] %} [{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n - y - - smtpd -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }} -o smtpd_peername_lookup=no {% endif %} pickup unix n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - y 1000? 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce |