summaryrefslogtreecommitdiff
path: root/puppet/modules
diff options
context:
space:
mode:
authorMicah Anderson <micah@leap.se>2013-10-03 13:53:27 -0400
committerMicah Anderson <micah@leap.se>2013-10-03 13:53:27 -0400
commitab6f1ad59dd8e9ab4952bf2e9ab8943d3ae60f44 (patch)
treef585b5e389462934c887a9b0aabf6bc38f237daf /puppet/modules
parenta8ef394f67d8dc742f18a17302ec0f449e53eaa6 (diff)
parent56f7b18d03f5ea337a68d653b422834c9283cfab (diff)
Merge branch 'feature/3953' into develop
Diffstat (limited to 'puppet/modules')
-rw-r--r--puppet/modules/site_postfix/manifests/mx/tls.pp35
1 files changed, 35 insertions, 0 deletions
diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp
index 89b63ba1..3bc7d85b 100644
--- a/puppet/modules/site_postfix/manifests/mx/tls.pp
+++ b/puppet/modules/site_postfix/manifests/mx/tls.pp
@@ -14,6 +14,41 @@ class site_postfix::mx::tls {
'smtpd_tls_ask_ccert': value => 'yes';
'smtpd_tls_security_level':
value => 'may';
+ 'smtpd_tls_eecdh_grade':
+ value => 'ultra'
+ }
+
+ # Setup DH parameters
+ # Instead of using the dh parameters that are created by leap cli, it is more
+ # secure to generate new parameter files that will only be used for postfix,
+ # for each machine
+
+ include site_config::packages::gnutls
+
+ # Note, the file name is called dh_1024.pem, but we are generating 2048bit dh
+ # parameters Neither Postfix nor OpenSSL actually care about the size of the
+ # prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits
+
+ exec { 'certtool-postfix-gendh-1024':
+ command => 'certtool --generate-dh-params --bits=2048 --outfile=/etc/postfix/smtpd_tls_dh_param.pem',
+ user => root,
+ group => root,
+ creates => '/etc/postfix/smtpd_tls_dh_param.pem',
+ require => Package['gnutls-bin']
+ }
+
+ # Make sure the dh params file has correct ownership and mode
+ file {
+ '/etc/postfix/smtpd_tls_dh_param.pem':
+ owner => root,
+ group => root,
+ mode => '0600',
+ require => Exec['certtool-postfix-gendh-1024'];
+ }
+
+ postfix::config { 'smtpd_tls_dh1024_param_file':
+ value => '/etc/postfix/smtpd_tls_dh_param.pem',
+ require => File['/etc/postfix/smtpd_tls_dh_param.pem']
}
}