diff options
author | Micah Anderson <micah@leap.se> | 2013-10-03 13:53:27 -0400 |
---|---|---|
committer | Micah Anderson <micah@leap.se> | 2013-10-03 13:53:27 -0400 |
commit | ab6f1ad59dd8e9ab4952bf2e9ab8943d3ae60f44 (patch) | |
tree | f585b5e389462934c887a9b0aabf6bc38f237daf /puppet/modules | |
parent | a8ef394f67d8dc742f18a17302ec0f449e53eaa6 (diff) | |
parent | 56f7b18d03f5ea337a68d653b422834c9283cfab (diff) |
Merge branch 'feature/3953' into develop
Diffstat (limited to 'puppet/modules')
-rw-r--r-- | puppet/modules/site_postfix/manifests/mx/tls.pp | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 89b63ba1..3bc7d85b 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -14,6 +14,41 @@ class site_postfix::mx::tls { 'smtpd_tls_ask_ccert': value => 'yes'; 'smtpd_tls_security_level': value => 'may'; + 'smtpd_tls_eecdh_grade': + value => 'ultra' + } + + # Setup DH parameters + # Instead of using the dh parameters that are created by leap cli, it is more + # secure to generate new parameter files that will only be used for postfix, + # for each machine + + include site_config::packages::gnutls + + # Note, the file name is called dh_1024.pem, but we are generating 2048bit dh + # parameters Neither Postfix nor OpenSSL actually care about the size of the + # prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits + + exec { 'certtool-postfix-gendh-1024': + command => 'certtool --generate-dh-params --bits=2048 --outfile=/etc/postfix/smtpd_tls_dh_param.pem', + user => root, + group => root, + creates => '/etc/postfix/smtpd_tls_dh_param.pem', + require => Package['gnutls-bin'] + } + + # Make sure the dh params file has correct ownership and mode + file { + '/etc/postfix/smtpd_tls_dh_param.pem': + owner => root, + group => root, + mode => '0600', + require => Exec['certtool-postfix-gendh-1024']; + } + + postfix::config { 'smtpd_tls_dh1024_param_file': + value => '/etc/postfix/smtpd_tls_dh_param.pem', + require => File['/etc/postfix/smtpd_tls_dh_param.pem'] } } |