Project

General

Profile

Revision 9ab70ad9

ID9ab70ad954cd82f4b000d73bd783e96c3ab67654
Parent 7dcda2d6
Child 6e731173

Added by Marc Dequènes 3 months ago

dc-postfix: rework TLS security

  • enforce server cipher order
  • be more restrictive with mandatory secured connections
  • smtpd?_tls_session_cache_database is not needed anymore, RFC 5077 TLS
    session tickets is recommended instead
  • share TLS settings among server types

View differences:

ansible/roles/dc-postfix/templates/includes/tls.conf
1
## TLS
2
tls_preempt_cipherlist = yes
3
tls_ssl_options = NO_COMPRESSION
4
# (server)
5
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
6
smtpd_tls_ciphers = medium
7
smtpd_tls_mandatory_ciphers = high
8
smtpd_tls_eecdh_grade=auto
9
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
10
smtpd_tls_key_file = {{ cert_dir }}/{{ cert_base_name }}.key
11
smtpd_tls_cert_file = {{ cert_dir }}/{{ cert_base_name }}.crt
12
smtpd_tls_dh1024_param_file = {{ cert_dir }}/{{ cert_base_name }}.dh
13
smtpd_tls_loglevel = 1
14
smtpd_tls_received_header = yes
15
smtpd_tls_security_level = may
16
smtpd_tls_auth_only = yes
17
# (client)
18
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
19
smtp_tls_ciphers = medium
20
smtp_tls_mandatory_ciphers = high
21
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
22
smtp_tls_key_file = {{ cert_dir }}/{{ cert_base_name }}.key
23
smtp_tls_cert_file = {{ cert_dir }}/{{ cert_base_name }}.crt
24
smtp_tls_loglevel = 1
25
smtp_tls_security_level = dane
26
smtp_tls_note_starttls_offer = yes
27
smtp_tls_policy_maps = hash:$config_directory/tls_policy_maps
ansible/roles/dc-postfix/templates/mx1/main.cf
78 78
#smtpd_sasl_authenticated_header = yes
79 79
broken_sasl_auth_clients = yes
80 80

  
81
## TLS
82
# (server)
83
smtpd_tls_ciphers = medium
84
smtpd_tls_mandatory_ciphers = high
85
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
86
smtpd_tls_key_file = {{ cert_dir }}/{{ cert_base_name }}.key
87
smtpd_tls_cert_file = {{ cert_dir }}/{{ cert_base_name }}.crt
88
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
89
smtpd_tls_dh1024_param_file = {{ cert_dir }}/{{ cert_base_name }}.dh
90
smtpd_tls_loglevel = 1
91
smtpd_tls_received_header = yes
92
smtpd_tls_security_level = may
93
smtpd_tls_auth_only = yes
94
# (client)
95
smtp_tls_ciphers = medium
96
smtp_tls_mandatory_ciphers = high
97
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
98
smtp_tls_key_file = {{ cert_dir }}/{{ cert_base_name }}.key
99
smtp_tls_cert_file = {{ cert_dir }}/{{ cert_base_name }}.crt
100
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
101
smtp_tls_loglevel = 1
102
smtp_tls_security_level = dane
103
smtp_tls_note_starttls_offer = yes
104
smtp_tls_policy_maps = hash:$config_directory/tls_policy_maps
81
{% include "includes/tls.conf" %}
105 82

  
106 83
## Security options
107 84
authorized_flush_users = /etc/postfix/admin_users
ansible/roles/dc-postfix/templates/mx2/main.cf
46 46
transport_maps =
47 47
	hash:$config_directory/transport
48 48

  
49
## TLS
50
# (server)
51
smtpd_tls_ciphers = medium
52
smtpd_tls_mandatory_ciphers = high
53
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
54
smtpd_tls_key_file = {{ cert_dir }}/{{ cert_base_name }}.key
55
smtpd_tls_cert_file = {{ cert_dir }}/{{ cert_base_name }}.crt
56
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
57
smtpd_tls_dh1024_param_file = {{ cert_dir }}/{{ cert_base_name }}.dh
58
smtpd_tls_loglevel = 1
59
smtpd_tls_received_header = yes
60
smtpd_tls_security_level = may
61
smtpd_tls_auth_only = yes
62
# (client)
63
smtp_tls_ciphers = medium
64
smtp_tls_mandatory_ciphers = high
65
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
66
smtp_tls_key_file = {{ cert_dir }}/{{ cert_base_name }}.key
67
smtp_tls_cert_file = {{ cert_dir }}/{{ cert_base_name }}.crt
68
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
69
smtp_tls_loglevel = 1
70
smtp_tls_security_level = dane
71
smtp_tls_note_starttls_offer = yes
72
smtp_tls_policy_maps = hash:$config_directory/tls_policy_maps
49
{% include "includes/tls.conf" %}
73 50

  
74 51
## Security options
75 52
authorized_flush_users = /etc/postfix/admin_users
ansible/roles/dc-postfix/templates/relay/main.cf
26 26
masquerade_domains = $mydomain
27 27
masquerade_exceptions =
28 28

  
29
## TLS
30
# (server)
31
smtpd_tls_ciphers = medium
32
smtpd_tls_mandatory_ciphers = high
33
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
34
smtpd_tls_key_file = {{ cert_dir }}/{{ cert_base_name }}.key
35
smtpd_tls_cert_file = {{ cert_dir }}/{{ cert_base_name }}.crt
36
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
37
smtpd_tls_dh1024_param_file = {{ cert_dir }}/{{ cert_base_name }}.dh
38
smtpd_tls_loglevel = 1
39
smtpd_tls_received_header = yes
40
smtpd_tls_security_level = may
41
smtpd_tls_auth_only = yes
42
# (client)
43
smtp_tls_ciphers = medium
44
smtp_tls_mandatory_ciphers = high
45
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
46
smtp_tls_key_file = {{ cert_dir }}/{{ cert_base_name }}.key
47
smtp_tls_cert_file = {{ cert_dir }}/{{ cert_base_name }}.crt
48
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
49
smtp_tls_loglevel = 1
50
smtp_tls_security_level = dane
51
smtp_tls_note_starttls_offer = yes
52
smtp_tls_policy_maps = hash:$config_directory/tls_policy_maps
29
{% include "includes/tls.conf" %}
53 30

  
54 31
## Security options
55 32
authorized_flush_users = /etc/postfix/admin_users

Also available in: Unified diff