Project

General

Profile

Revision 9ab70ad9

ID9ab70ad954cd82f4b000d73bd783e96c3ab67654
Parent 7dcda2d6
Child 6e731173

Added by Marc Dequènes 3 months ago

dc-postfix: rework TLS security

  • enforce server cipher order
  • be more restrictive with mandatory secured connections
  • smtpd?_tls_session_cache_database is not needed anymore, RFC 5077 TLS
    session tickets is recommended instead
  • share TLS settings among server types

View differences:

ansible/roles/dc-postfix/templates/mx2/main.cf
46 46
transport_maps =
47 47
	hash:$config_directory/transport
48 48

  
49
## TLS
50
# (server)
51
smtpd_tls_ciphers = medium
52
smtpd_tls_mandatory_ciphers = high
53
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
54
smtpd_tls_key_file = {{ cert_dir }}/{{ cert_base_name }}.key
55
smtpd_tls_cert_file = {{ cert_dir }}/{{ cert_base_name }}.crt
56
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
57
smtpd_tls_dh1024_param_file = {{ cert_dir }}/{{ cert_base_name }}.dh
58
smtpd_tls_loglevel = 1
59
smtpd_tls_received_header = yes
60
smtpd_tls_security_level = may
61
smtpd_tls_auth_only = yes
62
# (client)
63
smtp_tls_ciphers = medium
64
smtp_tls_mandatory_ciphers = high
65
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
66
smtp_tls_key_file = {{ cert_dir }}/{{ cert_base_name }}.key
67
smtp_tls_cert_file = {{ cert_dir }}/{{ cert_base_name }}.crt
68
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
69
smtp_tls_loglevel = 1
70
smtp_tls_security_level = dane
71
smtp_tls_note_starttls_offer = yes
72
smtp_tls_policy_maps = hash:$config_directory/tls_policy_maps
49
{% include "includes/tls.conf" %}
73 50

  
74 51
## Security options
75 52
authorized_flush_users = /etc/postfix/admin_users

Also available in: Unified diff