From 8fc53ecddfe875be30501a89fd24f226de7575d9 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 18 May 2016 19:25:20 +0200
Subject: postfix: Update to recommended TLS settings.
Following Viktor Dukhovni's 2015-08-06 recommendation
http://article.gmane.org/gmane.mail.postfix.user/251935
(We're using stronger ciphers and protocols in our own infrastructure.)
---
roles/IMAP/templates/etc/postfix/main.cf.j2 | 2 ++
roles/MSA/templates/etc/postfix/main.cf.j2 | 4 ++++
roles/MX/templates/etc/postfix/main.cf.j2 | 5 ++++-
roles/common/files/etc/postfix/master.cf | 4 ++++
roles/common/templates/etc/postfix/main.cf.j2 | 2 ++
roles/lists/templates/etc/postfix/main.cf.j2 | 2 ++
roles/out/templates/etc/postfix/main.cf.j2 | 4 ++++
7 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2
index c6acd02..00e0081 100644
--- a/roles/IMAP/templates/etc/postfix/main.cf.j2
+++ b/roles/IMAP/templates/etc/postfix/main.cf.j2
@@ -64,6 +64,8 @@ local_header_rewrite_clients =
relay_clientcerts = cdb:$config_directory/relay_clientcerts
smtpd_tls_security_level = may
+smtpd_tls_ciphers = high
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index fe65830..85ef821 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -67,6 +67,8 @@ smtp_tls_security_level = none
smtp_bind_address = 127.0.0.1
{% else %}
smtp_tls_security_level = encrypt
+smtp_tls_ciphers = high
+smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
@@ -76,6 +78,8 @@ smtp_tls_fingerprint_digest = sha256
{% endif %}
smtpd_tls_security_level = encrypt
+smtpd_tls_ciphers = high
+smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
smtpd_tls_cert_file = /etc/postfix/ssl/smtp.fripost.org.pem
smtpd_tls_key_file = /etc/postfix/ssl/smtp.fripost.org.key
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 27214a1..af282aa 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -84,6 +84,8 @@ smtp_tls_security_level = none
smtp_bind_address = 127.0.0.1
{% else %}
smtp_tls_security_level = encrypt
+smtp_tls_ciphers = high
+smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
@@ -93,7 +95,8 @@ smtp_tls_fingerprint_digest = sha256
{% endif %}
smtpd_tls_security_level = may
-smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
+smtpd_tls_ciphers = medium
+smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_cert_file = /etc/postfix/ssl/mx.fripost.org.pem
smtpd_tls_key_file = /etc/postfix/ssl/mx.fripost.org.key
smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf
index 9b81c70..b816223 100644
--- a/roles/common/files/etc/postfix/master.cf
+++ b/roles/common/files/etc/postfix/master.cf
@@ -14,6 +14,7 @@ smtp inet n - n - 1 postscreen
tlsproxy unix - - n - 0 tlsproxy
dnsblog unix - - n - 0 dnsblog
submission inet n - - - - smtpd
+ -o tls_high_cipherlist=HIGH:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
cleanup_nochroot unix n - n - 0 cleanup
@@ -43,8 +44,11 @@ anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
127.0.0.1:16132 inet n - - - - smtpd
2525 inet n - - - - smtpd
+ -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
2526 inet n - - - - smtpd
+ -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
2527 inet n - - - - smtpd
+ -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
reserved-alias unix - n n - - pipe
flags=Rhu user=nobody argv=/usr/local/bin/reserved-alias.pl ${sender} ${original_recipient} @fripost.org
sympa unix - n n - - pipe
diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2
index 39952c2..3f36418 100644
--- a/roles/common/templates/etc/postfix/main.cf.j2
+++ b/roles/common/templates/etc/postfix/main.cf.j2
@@ -42,6 +42,8 @@ smtp_tls_security_level = none
smtp_bind_address = 127.0.0.1
{% else %}
smtp_tls_security_level = encrypt
+smtp_tls_ciphers = high
+smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
smtp_tls_cert_file = $config_directory/ssl/{{ ansible_fqdn }}.pem
smtp_tls_key_file = $config_directory/ssl/{{ ansible_fqdn }}.key
diff --git a/roles/lists/templates/etc/postfix/main.cf.j2 b/roles/lists/templates/etc/postfix/main.cf.j2
index f3ece49..025e8d9 100644
--- a/roles/lists/templates/etc/postfix/main.cf.j2
+++ b/roles/lists/templates/etc/postfix/main.cf.j2
@@ -56,6 +56,8 @@ local_header_rewrite_clients =
relay_clientcerts = cdb:$config_directory/relay_clientcerts
smtpd_tls_security_level = may
+smtpd_tls_ciphers = high
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2
index 8c03f67..1e1fe74 100644
--- a/roles/out/templates/etc/postfix/main.cf.j2
+++ b/roles/out/templates/etc/postfix/main.cf.j2
@@ -48,11 +48,15 @@ local_header_rewrite_clients =
smtp_tls_security_level = may
+smtp_tls_ciphers = medium
+smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
relay_clientcerts = cdb:$config_directory/relay_clientcerts
smtpd_tls_security_level = may
+smtpd_tls_ciphers = high
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
--
cgit v1.2.3