diff options
| author | Micah Anderson <micah@leap.se> | 2013-08-29 16:14:53 -0400 |
|---|---|---|
| committer | Micah Anderson <micah@leap.se> | 2013-08-29 16:15:24 -0400 |
| commit | ddcab83dda101ee335bbf37451f37e2bfe358c7f (patch) | |
| tree | 39b16c87367ae06ecc1c0f9dbe6a75977610697f | |
| parent | 1f66ee794114d6a7096e15d0b044c17cb6d22a91 (diff) | |
Make TLS-required smtps (465) be port for sending SMTP. This is preferred over 25 because that is typically blocked, and we cannot force TLS on that port due to other MTAs not being configured for this century. We don't use submission (568) because that uses STARTTLS, and the STARTTLS banner can easily be stripped by an adversary. (#3604)
. enable smtps (port 465) for client submission over TLS, and require that TLS is enabled
. add 465 to the allowed open ports in the firewall
. change the smtp-service.json to use 465 instead of 25
note: I did not use the 'use_smtps' parameter that is available in the postfix
class because it added some options that we do not want/need.
Change-Id: I0040eb2dff6008a1c830d59df9963eb83dc9ea02
| -rw-r--r-- | provider_base/files/service-definitions/v1/smtp-service.json.erb | 2 | ||||
| -rw-r--r-- | puppet/modules/site_postfix/manifests/mx.pp | 1 | ||||
| -rw-r--r-- | puppet/modules/site_shorewall/manifests/mx.pp | 2 |
3 files changed, 3 insertions, 2 deletions
diff --git a/provider_base/files/service-definitions/v1/smtp-service.json.erb b/provider_base/files/service-definitions/v1/smtp-service.json.erb index 60129f5f..8fee9f8e 100644 --- a/provider_base/files/service-definitions/v1/smtp-service.json.erb +++ b/provider_base/files/service-definitions/v1/smtp-service.json.erb @@ -15,7 +15,7 @@ host = {} host["hostname"] = node.domain.full host["ip_address"] = node.ip_address - host["port"] = 25 # hard coded for now, later node.smtp.port + host["port"] = 465 # hard coded for now, later node.smtp.port if node['location'] location_name = underscore(node.location.name) host["location"] = location_name diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index ed5b3832..18815f70 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -35,6 +35,7 @@ class site_postfix::mx { preseed => true, root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', + mastercf_tail => "smtps inet n - - - - smtpd\n -o smtpd_tls_wrappermode=yes\n -o smtpd_tls_security_level=encrypt\n", require => [ X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] } diff --git a/puppet/modules/site_shorewall/manifests/mx.pp b/puppet/modules/site_shorewall/manifests/mx.pp index 5ec95fdd..123ffec2 100644 --- a/puppet/modules/site_shorewall/manifests/mx.pp +++ b/puppet/modules/site_shorewall/manifests/mx.pp @@ -2,7 +2,7 @@ class site_shorewall::mx { include site_shorewall::defaults - $smtpd_ports = '25' + $smtpd_ports = '25,465' # define macro for incoming services file { '/etc/shorewall/macro.leap_mx': |