diff options
author | Micah <micah@leap.se> | 2016-03-06 09:23:34 -0500 |
---|---|---|
committer | Micah <micah@leap.se> | 2016-03-11 15:55:20 -0500 |
commit | f69f7ca97791945d0bbe61eda84e69a8ed460e04 (patch) | |
tree | 4dc8e6f8b123c5fe83501173ea37a8f55d36c10a /puppet/modules/site_postfix/manifests/mx/smtp_tls.pp | |
parent | e3112d668a0c8bf334696a251bfc1b5af12ee844 (diff) |
Set MUA required ciphers, tighten up the mandatory protocols (#4232)
Change-Id: I328aa37b393817e1764ea7e635fcefc801adbbf4
Diffstat (limited to 'puppet/modules/site_postfix/manifests/mx/smtp_tls.pp')
-rw-r--r-- | puppet/modules/site_postfix/manifests/mx/smtp_tls.pp | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp index 4eb80dd6..b27c0e3c 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp @@ -28,5 +28,15 @@ class site_postfix::mx::smtp_tls { # see issue #4011 'smtp_tls_protocols': value => '!SSLv2, !SSLv3'; + 'smtp_tls_mandatory_protocols': + value => '!SSLv2, !SSLv3'; + 'tls_ssl_options': + value => 'NO_COMPRESSION'; + # We can switch between the different postfix internal list of ciphers by + # using smtpd_tls_ciphers. For server-to-server connections we leave this + # at its default because of opportunistic encryption combined with many mail + # servers only support outdated protocols and ciphers and if we are too + # strict with required ciphers, then connections *will* fall-back to + # plain-text. Bad ciphers are still better than plain text transmission. } } |