From 8fc53ecddfe875be30501a89fd24f226de7575d9 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 18 May 2016 19:25:20 +0200 Subject: postfix: Update to recommended TLS settings. Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.) --- roles/common/files/etc/postfix/master.cf | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'roles/common/files/etc') diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf index 9b81c70..b816223 100644 --- a/roles/common/files/etc/postfix/master.cf +++ b/roles/common/files/etc/postfix/master.cf @@ -14,6 +14,7 @@ smtp inet n - n - 1 postscreen tlsproxy unix - - n - 0 tlsproxy dnsblog unix - - n - 0 dnsblog submission inet n - - - - smtpd + -o tls_high_cipherlist=HIGH:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup cleanup_nochroot unix n - n - 0 cleanup @@ -43,8 +44,11 @@ anvil unix - - - - 1 anvil scache unix - - - - 1 scache 127.0.0.1:16132 inet n - - - - smtpd 2525 inet n - - - - smtpd + -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL 2526 inet n - - - - smtpd + -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL 2527 inet n - - - - smtpd + -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL reserved-alias unix - n n - - pipe flags=Rhu user=nobody argv=/usr/local/bin/reserved-alias.pl ${sender} ${original_recipient} @fripost.org sympa unix - n n - - pipe -- cgit v1.2.3