summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--roles/MSA/files/etc/postfix/anonymize_sender.pcre3
-rw-r--r--roles/MSA/templates/etc/postfix/main.cf.j26
-rw-r--r--roles/common/templates/etc/postfix/master.cf.j22
3 files changed, 5 insertions, 6 deletions
diff --git a/roles/MSA/files/etc/postfix/anonymize_sender.pcre b/roles/MSA/files/etc/postfix/anonymize_sender.pcre
index 7c11f4e..162e6c1 100644
--- a/roles/MSA/files/etc/postfix/anonymize_sender.pcre
+++ b/roles/MSA/files/etc/postfix/anonymize_sender.pcre
@@ -1,5 +1,6 @@
/^Received:\s+from\s+(?:\S+\s+\(\S+\s+\[(?:IPv6:)?[[:xdigit:].:]{3,39}\]\))
- (\s+\(using\s+(?:TLS|SSL)(?:v\S+)?\s+with\s+cipher\s+\S+\s+\(\S+\s+bits\)\)\s+).*
+ (\s+\(using\s+(?:TLS|SSL)(?:v\S+)?\s+with\s+cipher\s+\S+\s+\(\S+\s+bits\)
+ (?:\s+key-exchange\s+\S+\s+(?:\([^)]+\)\s+)?server-signature\s+\S+\s+\(\d+\s+bits\)\s+server-digest\s+\S+)?\)\s+).*
(\bby\s+(?:\S+\.)?fripost\.org\s+\([^)]+\)
\s+with\s+E?SMTPS?A\s+id\s+[[:xdigit:]]+;?\s.*)/x
REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${1}${2}
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index 65a0339..a435b0f 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -60,14 +60,14 @@ header_checks = pcre:$config_directory/anonymize_sender.pcre
# TLS
smtp_tls_security_level = none
smtpd_tls_security_level = encrypt
-smtpd_tls_ciphers = high
-smtpd_tls_protocols = !SSLv2, !SSLv3
-smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
+smtpd_tls_mandatory_ciphers = high
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_cert_file = $config_directory/ssl/smtp.fripost.org.pem
smtpd_tls_key_file = $config_directory/ssl/smtp.fripost.org.key
smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
smtpd_tls_session_cache_database=
smtpd_tls_received_header = yes
+tls_high_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
# SASL
smtpd_sasl_auth_enable = yes
diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2
index 65ca2b6..f199ed0 100644
--- a/roles/common/templates/etc/postfix/master.cf.j2
+++ b/roles/common/templates/etc/postfix/master.cf.j2
@@ -19,10 +19,8 @@ tlsproxy unix - - y - 0 tlsproxy
dnsblog unix - - y - 0 dnsblog
{% elif inst == 'MSA' %}
submission inet n - y - - smtpd
- -o tls_high_cipherlist=EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
submissions inet n - y - - smtpd
-o smtpd_tls_wrappermode=yes
- -o tls_high_cipherlist=EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
{% if groups.webmail | difference([inventory_hostname]) | length > 0 %}
[{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n - y - - smtpd
-o broken_sasl_auth_clients=no