summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
authorMicah <micah@leap.se>2016-03-06 09:23:34 -0500
committerMicah <micah@leap.se>2016-03-11 15:55:20 -0500
commitf69f7ca97791945d0bbe61eda84e69a8ed460e04 (patch)
tree4dc8e6f8b123c5fe83501173ea37a8f55d36c10a /puppet
parente3112d668a0c8bf334696a251bfc1b5af12ee844 (diff)
Set MUA required ciphers, tighten up the mandatory protocols (#4232)
Change-Id: I328aa37b393817e1764ea7e635fcefc801adbbf4
Diffstat (limited to 'puppet')
-rw-r--r--puppet/modules/site_postfix/manifests/mx.pp1
-rw-r--r--puppet/modules/site_postfix/manifests/mx/smtp_tls.pp10
-rw-r--r--puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp11
3 files changed, 22 insertions, 0 deletions
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 3230d4f0..7837f415 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -119,6 +119,7 @@ class site_postfix::mx {
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_tls_security_level=encrypt
+ -o tls_preempt_cipherlist=yes
${smtpd_relay_restrictions} -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions
-o smtpd_helo_restrictions=\$smtps_helo_restrictions
-o smtpd_client_restrictions=
diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
index 4eb80dd6..b27c0e3c 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
@@ -28,5 +28,15 @@ class site_postfix::mx::smtp_tls {
# see issue #4011
'smtp_tls_protocols':
value => '!SSLv2, !SSLv3';
+ 'smtp_tls_mandatory_protocols':
+ value => '!SSLv2, !SSLv3';
+ 'tls_ssl_options':
+ value => 'NO_COMPRESSION';
+ # We can switch between the different postfix internal list of ciphers by
+ # using smtpd_tls_ciphers. For server-to-server connections we leave this
+ # at its default because of opportunistic encryption combined with many mail
+ # servers only support outdated protocols and ciphers and if we are too
+ # strict with required ciphers, then connections *will* fall-back to
+ # plain-text. Bad ciphers are still better than plain text transmission.
}
}
diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp
index 9fed3874..02a59942 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp
@@ -20,6 +20,17 @@ class site_postfix::mx::smtpd_tls {
value => 'ultra';
'smtpd_tls_session_cache_database':
value => 'btree:${data_directory}/smtpd_scache';
+ # see issue #4011
+ 'smtpd_tls_mandatory_protocols':
+ value => '!SSLv2, !SSLv3';
+ 'smtpd_tls_protocols':
+ value => '!SSLv2, !SSLv3';
+ # For connections to MUAs, TLS is mandatory and the ciphersuite is modified.
+ # MX and SMTP client configuration
+ 'smtpd_tls_mandatory_ciphers':
+ value => 'high';
+ 'tls_high_cipherlist':
+ value => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
}
# Setup DH parameters