Project

General

Profile

Revision 9ab70ad9

ID9ab70ad954cd82f4b000d73bd783e96c3ab67654
Parent 7dcda2d6
Child 6e731173

Added by Marc Dequènes 25 days ago

dc-postfix: rework TLS security

  • enforce server cipher order
  • be more restrictive with mandatory secured connections
  • smtpd?_tls_session_cache_database is not needed anymore, RFC 5077 TLS
    session tickets is recommended instead
  • share TLS settings among server types

View differences:

ansible/roles/dc-postfix/templates/relay/main.cf
26 26
masquerade_domains = $mydomain
27 27
masquerade_exceptions =
28 28

  
29
## TLS
30
# (server)
31
smtpd_tls_ciphers = medium
32
smtpd_tls_mandatory_ciphers = high
33
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
34
smtpd_tls_key_file = {{ cert_dir }}/{{ cert_base_name }}.key
35
smtpd_tls_cert_file = {{ cert_dir }}/{{ cert_base_name }}.crt
36
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
37
smtpd_tls_dh1024_param_file = {{ cert_dir }}/{{ cert_base_name }}.dh
38
smtpd_tls_loglevel = 1
39
smtpd_tls_received_header = yes
40
smtpd_tls_security_level = may
41
smtpd_tls_auth_only = yes
42
# (client)
43
smtp_tls_ciphers = medium
44
smtp_tls_mandatory_ciphers = high
45
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
46
smtp_tls_key_file = {{ cert_dir }}/{{ cert_base_name }}.key
47
smtp_tls_cert_file = {{ cert_dir }}/{{ cert_base_name }}.crt
48
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
49
smtp_tls_loglevel = 1
50
smtp_tls_security_level = dane
51
smtp_tls_note_starttls_offer = yes
52
smtp_tls_policy_maps = hash:$config_directory/tls_policy_maps
29
{% include "includes/tls.conf" %}
53 30

  
54 31
## Security options
55 32
authorized_flush_users = /etc/postfix/admin_users

Also available in: Unified diff