summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rw-r--r--roles/IMAP/templates/etc/postfix/main.cf.j22
-rw-r--r--roles/MSA/templates/etc/postfix/main.cf.j24
-rw-r--r--roles/MX/templates/etc/postfix/main.cf.j25
-rw-r--r--roles/common/files/etc/postfix/master.cf4
-rw-r--r--roles/common/templates/etc/postfix/main.cf.j22
-rw-r--r--roles/lists/templates/etc/postfix/main.cf.j22
-rw-r--r--roles/out/templates/etc/postfix/main.cf.j24
7 files changed, 22 insertions, 1 deletions
diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2
index c6acd02..00e0081 100644
--- a/roles/IMAP/templates/etc/postfix/main.cf.j2
+++ b/roles/IMAP/templates/etc/postfix/main.cf.j2
@@ -47,40 +47,42 @@ default_transport = error:5.1.1 Transport unavailable
# Virtual transport (the alias resolution and address validation is
# performed on the MX:es only)
virtual_transport = lmtp:unix:private/dovecot-lmtpd
lmtp_bind_address = 127.0.0.1
virtual_mailbox_domains = static:all
virtual_mailbox_maps = static:all
#transport_maps = cdb:$config_directory/transport
# Restore the original envelope recipient
relay_domains =
recipient_canonical_classes = envelope_recipient
recipient_canonical_maps = pcre:$config_directory/recipient_canonical.pcre
# Don't rewrite remote headers
local_header_rewrite_clients =
relay_clientcerts = cdb:$config_directory/relay_clientcerts
smtpd_tls_security_level = may
+smtpd_tls_ciphers = high
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
smtpd_tls_session_cache_database=
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_fingerprint_digest = sha256
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
smtpd_client_restrictions =
permit_mynetworks
permit_tls_clientcerts
# We are the only ones using this proxy, but if things go wrong we
# want to know why
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index fe65830..85ef821 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -50,49 +50,53 @@ relay_domains =
# Don't rewrite remote headers
local_header_rewrite_clients =
# Avoid splitting the envelope and scanning messages multiple times
smtp_destination_recipient_limit = 1000
# Tolerate occasional high latency
smtp_data_done_timeout = 1200s
# Anonymize the (authenticated) sender; pass the mail to the antivirus
header_checks = pcre:$config_directory/anonymize_sender.pcre
#content_filter = amavisfeed:unix:public/amavisfeed-antivirus
# TLS
{% if 'out' in group_names %}
smtp_tls_security_level = none
smtp_bind_address = 127.0.0.1
{% else %}
smtp_tls_security_level = encrypt
+smtp_tls_ciphers = high
+smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy
smtp_tls_fingerprint_digest = sha256
{% endif %}
smtpd_tls_security_level = encrypt
+smtpd_tls_ciphers = high
+smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
smtpd_tls_cert_file = /etc/postfix/ssl/smtp.fripost.org.pem
smtpd_tls_key_file = /etc/postfix/ssl/smtp.fripost.org.key
smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
smtpd_tls_session_cache_database=
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
# SASL
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = unix:private/dovecot-auth
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 27214a1..af282aa 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -67,50 +67,53 @@ virtual_alias_maps = pcre:$config_directory/virtual/reserved_alias.pcre
ldap:$config_directory/virtual/catchall.cf
transport_maps = cdb:$config_directory/virtual/transport
# Don't rewrite remote headers
local_header_rewrite_clients =
# Pass the client information along to the content filter
smtp_send_xforward_command = yes
# Avoid splitting the envelope and scanning messages multiple times
smtp_destination_recipient_limit = 1000
reserved-alias_destination_recipient_limit = 1
# Tolerate occasional high latency
smtp_data_done_timeout = 1200s
{% if 'out' in group_names %}
smtp_tls_security_level = none
smtp_bind_address = 127.0.0.1
{% else %}
smtp_tls_security_level = encrypt
+smtp_tls_ciphers = high
+smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy
smtp_tls_fingerprint_digest = sha256
{% endif %}
smtpd_tls_security_level = may
-smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
+smtpd_tls_ciphers = medium
+smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_cert_file = /etc/postfix/ssl/mx.fripost.org.pem
smtpd_tls_key_file = /etc/postfix/ssl/mx.fripost.org.key
smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
smtpd_tls_CApath = /etc/ssl/certs/
smtpd_tls_session_cache_database=
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
# http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix
# http://www.howtoforge.com/block_spam_at_mta_level_postfix
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
# UCE control
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf
index 9b81c70..b816223 100644
--- a/roles/common/files/etc/postfix/master.cf
+++ b/roles/common/files/etc/postfix/master.cf
@@ -1,67 +1,71 @@
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtpd pass - - n - - smtpd
-o cleanup_service_name=cleanup_nochroot
smtp inet n - n - 1 postscreen
tlsproxy unix - - n - 0 tlsproxy
dnsblog unix - - n - 0 dnsblog
submission inet n - - - - smtpd
+ -o tls_high_cipherlist=HIGH:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
cleanup_nochroot unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
smtpl unix - - - - - smtp
-o smtp_bind_address=127.0.0.1
relay unix - - - - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
127.0.0.1:16132 inet n - - - - smtpd
2525 inet n - - - - smtpd
+ -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
2526 inet n - - - - smtpd
+ -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
2527 inet n - - - - smtpd
+ -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
reserved-alias unix - n n - - pipe
flags=Rhu user=nobody argv=/usr/local/bin/reserved-alias.pl ${sender} ${original_recipient} @fripost.org
sympa unix - n n - - pipe
flags=Rhu user=sympa argv=/usr/local/bin/sympa-queue ${user}
# Client part (lmtp) - amavis
amavisfeed unix - - n - 5 lmtp
-o lmtp_destination_recipient_limit=1000
-o lmtp_send_xforward_command=yes
-o lmtp_data_done_timeout=1200s
-o disable_dns_lookups=yes
# Server part (smtpd) - amavis (if the MDA and outgoing proxy are on the
# same machine, we need to create another entry, on another port.)
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2
index 39952c2..3f36418 100644
--- a/roles/common/templates/etc/postfix/main.cf.j2
+++ b/roles/common/templates/etc/postfix/main.cf.j2
@@ -25,40 +25,42 @@ alias_maps =
local_recipient_maps =
# All aliases are virtual
default_database_type = cdb
virtual_alias_maps = cdb:/etc/aliases
alias_database = $virtual_alias_maps
# Forward everything to our internal outgoing proxy
{% if 'out' in group_names %}
relayhost = [127.0.0.1]:{{ postfix_instance.out.port }}
{% else %}
relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
{% endif %}
relay_domains =
{% if 'out' in group_names %}
smtp_tls_security_level = none
smtp_bind_address = 127.0.0.1
{% else %}
smtp_tls_security_level = encrypt
+smtp_tls_ciphers = high
+smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
smtp_tls_cert_file = $config_directory/ssl/{{ ansible_fqdn }}.pem
smtp_tls_key_file = $config_directory/ssl/{{ ansible_fqdn }}.key
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtp_tls_policy_maps = cdb:$config_directory/tls_policy
smtp_tls_fingerprint_digest = sha256
{% endif %}
smtpd_tls_security_level = none
# Turn off all TCP/IP listener ports except that dedicated to
# samhain(8), which sadly cannot use pickup through the sendmail binary.
master_service_disable = !127.0.0.1:16132.inet inet
{% set multi_instance = False %}
{%- for g in postfix_instance.keys() | sort -%}
{%- if g in group_names -%}
{%- if not multi_instance -%}
{%- set multi_instance = True -%}
## Other postfix instances
multi_instance_wrapper = $command_directory/postmulti -p --
diff --git a/roles/lists/templates/etc/postfix/main.cf.j2 b/roles/lists/templates/etc/postfix/main.cf.j2
index f3ece49..025e8d9 100644
--- a/roles/lists/templates/etc/postfix/main.cf.j2
+++ b/roles/lists/templates/etc/postfix/main.cf.j2
@@ -39,40 +39,42 @@ alias_database =
local_recipient_maps =
message_size_limit = 0
recipient_delimiter = +
# No relay: this server is inbound-only
relay_transport = error:5.1.1 Relay unavailable
default_transport = error:5.1.1 Transport unavailable
relay_domains = sympa.$mydomain
transport_maps = cdb:$config_directory/transport
sympa_destination_recipient_limit = 1
# Don't rewrite remote headers
local_header_rewrite_clients =
relay_clientcerts = cdb:$config_directory/relay_clientcerts
smtpd_tls_security_level = may
+smtpd_tls_ciphers = high
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
smtpd_tls_session_cache_database=
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_fingerprint_digest = sha256
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
smtpd_client_restrictions =
permit_mynetworks
permit_tls_clientcerts
# We are the only ones using this proxy, but if things go wrong we
# want to know why
diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2
index 8c03f67..1e1fe74 100644
--- a/roles/out/templates/etc/postfix/main.cf.j2
+++ b/roles/out/templates/etc/postfix/main.cf.j2
@@ -31,45 +31,49 @@ mynetworks_style = host
inet_interfaces = all
# No local delivery
mydestination =
local_transport = error:5.1.1 Mailbox unavailable
alias_maps =
alias_database =
local_recipient_maps =
message_size_limit = 0
recipient_delimiter = +
relay_domains =
relay_transport = error:5.3.2 Relay Transport unavailable
# All header rewriting happens upstream
local_header_rewrite_clients =
smtp_tls_security_level = may
+smtp_tls_ciphers = medium
+smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
relay_clientcerts = cdb:$config_directory/relay_clientcerts
smtpd_tls_security_level = may
+smtpd_tls_ciphers = high
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
smtpd_tls_session_cache_database=
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_fingerprint_digest = sha256
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
address_verify_sender = $double_bounce_sender@$mydomain
unverified_recipient_defer_code = 250
unverified_recipient_reject_code = 550
smtpd_client_restrictions =
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-27 13:04:42 +0000