Project

General

Profile

Revision 9ab70ad9

ID9ab70ad954cd82f4b000d73bd783e96c3ab67654
Parent 7dcda2d6
Child 6e731173

Added by Marc Dequènes 3 months ago

dc-postfix: rework TLS security

  • enforce server cipher order
  • be more restrictive with mandatory secured connections
  • smtpd?_tls_session_cache_database is not needed anymore, RFC 5077 TLS
    session tickets is recommended instead
  • share TLS settings among server types

View differences:

ansible/roles/dc-postfix/templates/mx1/main.cf
78 78
#smtpd_sasl_authenticated_header = yes
79 79
broken_sasl_auth_clients = yes
80 80

  
81
## TLS
82
# (server)
83
smtpd_tls_ciphers = medium
84
smtpd_tls_mandatory_ciphers = high
85
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
86
smtpd_tls_key_file = {{ cert_dir }}/{{ cert_base_name }}.key
87
smtpd_tls_cert_file = {{ cert_dir }}/{{ cert_base_name }}.crt
88
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
89
smtpd_tls_dh1024_param_file = {{ cert_dir }}/{{ cert_base_name }}.dh
90
smtpd_tls_loglevel = 1
91
smtpd_tls_received_header = yes
92
smtpd_tls_security_level = may
93
smtpd_tls_auth_only = yes
94
# (client)
95
smtp_tls_ciphers = medium
96
smtp_tls_mandatory_ciphers = high
97
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
98
smtp_tls_key_file = {{ cert_dir }}/{{ cert_base_name }}.key
99
smtp_tls_cert_file = {{ cert_dir }}/{{ cert_base_name }}.crt
100
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
101
smtp_tls_loglevel = 1
102
smtp_tls_security_level = dane
103
smtp_tls_note_starttls_offer = yes
104
smtp_tls_policy_maps = hash:$config_directory/tls_policy_maps
81
{% include "includes/tls.conf" %}
105 82

  
106 83
## Security options
107 84
authorized_flush_users = /etc/postfix/admin_users

Also available in: Unified diff