diff options
| -rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf | 2 | ||||
| -rw-r--r-- | roles/IMAP/templates/etc/postfix/main.cf.j2 | 2 | ||||
| -rw-r--r-- | roles/MSA/templates/etc/postfix/main.cf.j2 | 1 | ||||
| -rw-r--r-- | roles/MX/templates/etc/postfix/main.cf.j2 | 2 | ||||
| -rw-r--r-- | roles/common-web/files/etc/nginx/ssl/config | 1 | ||||
| -rwxr-xr-x | roles/common/files/usr/local/bin/gendhparam.sh | 13 | ||||
| -rwxr-xr-x | roles/common/files/usr/local/bin/genkeypair.sh | 4 | ||||
| -rw-r--r-- | roles/common/tasks/main.yml | 12 | ||||
| -rw-r--r-- | roles/lists/templates/etc/postfix/main.cf.j2 | 2 | ||||
| -rw-r--r-- | roles/out/templates/etc/postfix/main.cf.j2 | 2 |
10 files changed, 35 insertions, 6 deletions
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf index 90843b2..e801639 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf @@ -43,7 +43,7 @@ ssl_key = </etc/dovecot/ssl/imap.fripost.org.key #ssl_cert_username_field = commonName # DH parameters length to use. -#ssl_dh_parameters_length = 1024 +ssl_dh_parameters_length = 2048 # SSL protocols to use ssl_protocols = !SSLv2 diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2 index ef2f0d6..4cc07a6 100644 --- a/roles/IMAP/templates/etc/postfix/main.cf.j2 +++ b/roles/IMAP/templates/etc/postfix/main.cf.j2 @@ -64,8 +64,10 @@ local_header_rewrite_clients = relay_clientcerts = cdb:$config_directory/relay_clientcerts smtpd_tls_security_level = may +smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key +smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 index 8ebefde..800dda8 100644 --- a/roles/MSA/templates/etc/postfix/main.cf.j2 +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -77,6 +77,7 @@ smtp_tls_fingerprint_digest = sha256 smtpd_tls_security_level = encrypt smtpd_tls_cert_file = /etc/postfix/ssl/smtp.fripost.org.pem smtpd_tls_key_file = /etc/postfix/ssl/private/smtp.fripost.org.key +smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index 181066a..09a5ce7 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -93,8 +93,10 @@ smtp_tls_fingerprint_digest = sha256 smtpd_tls_security_level = none smtpd_tls_security_level = may +smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key +smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem smtpd_tls_CApath = /etc/ssl/certs/ smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache smtpd_tls_received_header = yes diff --git a/roles/common-web/files/etc/nginx/ssl/config b/roles/common-web/files/etc/nginx/ssl/config index 7deef29..26a64f4 100644 --- a/roles/common-web/files/etc/nginx/ssl/config +++ b/roles/common-web/files/etc/nginx/ssl/config @@ -12,6 +12,7 @@ ssl_session_cache shared:SSL:5m; # other weaknesses. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH; +ssl_dhparam /etc/ssl/private/dhparams.pem; ssl_prefer_server_ciphers on; # Strict Transport Security header for enhanced security. See diff --git a/roles/common/files/usr/local/bin/gendhparam.sh b/roles/common/files/usr/local/bin/gendhparam.sh new file mode 100755 index 0000000..074986b --- /dev/null +++ b/roles/common/files/usr/local/bin/gendhparam.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +set -ue +PATH=/usr/bin:/bin + +privkey="$1" +bits="${2:-2048}" +rand= + +mv -f "$(mktemp)" "$privkey" +chmod og-rwx "$privkey" + +openssl dhparam -rand "${rand:-/dev/urandom}" "$bits" >"$privkey" diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh index d6539e2..982c1d9 100755 --- a/roles/common/files/usr/local/bin/genkeypair.sh +++ b/roles/common/files/usr/local/bin/genkeypair.sh @@ -37,6 +37,7 @@ cn= usage= chmod= chown= +rand= usage() { cat >&2 <<- EOF @@ -123,7 +124,6 @@ while [ $# -gt 0 ]; do shift; done -rand=/dev/urandom case "$type" in # XXX: genrsa and dsaparam have been deprecated in favor of genpkey. # genpkey can also create explicit EC parameters, but not named. @@ -184,7 +184,7 @@ elif [ ! -s "$privkey" -o $force -ge 2 ]; then mv -f "$(mktemp)" "$privkey" || exit 2 chmod "${chmod:-og-rwx}" "$privkey" || exit 2 [ -z "$chown" ] || chown "$chown" "$privkey" || exit 2 - openssl $genkey -rand /dev/urandom $genkeyargs >"$privkey" || exit 2 + openssl $genkey -rand "${rand:-/dev/urandom}" $genkeyargs >"$privkey" || exit 2 [ "$cmd" = dkim ] && { dkiminfo; exit; } fi diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 3b3c0a5..4e85d0a 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -15,12 +15,18 @@ - include: smart.yml tags=smartmontools,smart when: "not ((ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') or ansible_system_vendor == 'QEMU')" - include: haveged.yml tags=haveged,entropy -- name: Copy genkeypair.sh - copy: src=usr/local/bin/genkeypair.sh - dest=/usr/local/bin/genkeypair.sh +- name: Copy genkeypair.sh and gendhparam.sh + copy: src=usr/local/bin/{{ item }} + dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755 tags: genkey + with_items: + - genkeypair.sh + - gendhparam.sh +- name: Generate DH parameters + command: gendhparam.sh /etc/ssl/private/dhparams.pem creates=/etc/ssl/private/dhparams.pem + tags: genkey - include: logging.yml tags=logging - include: ntp.yml tags=ntp - include: mail.yml tags=mail,postfix diff --git a/roles/lists/templates/etc/postfix/main.cf.j2 b/roles/lists/templates/etc/postfix/main.cf.j2 index e55eb9e..d286f27 100644 --- a/roles/lists/templates/etc/postfix/main.cf.j2 +++ b/roles/lists/templates/etc/postfix/main.cf.j2 @@ -56,8 +56,10 @@ local_header_rewrite_clients = relay_clientcerts = cdb:$config_directory/relay_clientcerts smtpd_tls_security_level = may +smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key +smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2 index da8ed48..eab3c0b 100644 --- a/roles/out/templates/etc/postfix/main.cf.j2 +++ b/roles/out/templates/etc/postfix/main.cf.j2 @@ -53,8 +53,10 @@ smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache relay_clientcerts = cdb:$config_directory/relay_clientcerts smtpd_tls_security_level = may +smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key +smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes |