Set MUA required ciphers, tighten up the mandatory protocols (#4232)

Change-Id: I328aa37b393817e1764ea7e635fcefc801adbbf4
author: Micah <micah@leap.se> 2016-03-06 09:23:34 -0500
committer: Micah <micah@leap.se> 2016-03-11 15:55:20 -0500
commit: f69f7ca97791945d0bbe61eda84e69a8ed460e04 (patch)
tree: 4dc8e6f8b123c5fe83501173ea37a8f55d36c10a /puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
parent: e3112d668a0c8bf334696a251bfc1b5af12ee844 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
index 4eb80dd6..b27c0e3c 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
@@ -28,5 +28,15 @@ class site_postfix::mx::smtp_tls {
     # see issue #4011
     'smtp_tls_protocols':
       value => '!SSLv2, !SSLv3';
+    'smtp_tls_mandatory_protocols':
+      value => '!SSLv2, !SSLv3';
+    'tls_ssl_options':
+      value => 'NO_COMPRESSION';
+    # We can switch between the different postfix internal list of ciphers by
+    # using smtpd_tls_ciphers.  For server-to-server connections we leave this
+    # at its default because of opportunistic encryption combined with many mail
+    # servers only support outdated protocols and ciphers and if we are too
+    # strict with required ciphers, then connections *will* fall-back to
+    # plain-text. Bad ciphers are still better than plain text transmission.
   }
 }
author	Micah <micah@leap.se>	2016-03-06 09:23:34 -0500
committer	Micah <micah@leap.se>	2016-03-11 15:55:20 -0500
commit	f69f7ca97791945d0bbe61eda84e69a8ed460e04 (patch)
tree	4dc8e6f8b123c5fe83501173ea37a8f55d36c10a /puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
parent	e3112d668a0c8bf334696a251bfc1b5af12ee844 (diff)