1 files changed, 35 insertions, 0 deletions

diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp
index 89b63ba1..3bc7d85b 100644
--- a/puppet/modules/site_postfix/manifests/mx/tls.pp
+++ b/puppet/modules/site_postfix/manifests/mx/tls.pp
@@ -14,6 +14,41 @@ class site_postfix::mx::tls {
     'smtpd_tls_ask_ccert':  value  => 'yes';
     'smtpd_tls_security_level':
       value  => 'may';
+    'smtpd_tls_eecdh_grade':
+      value => 'ultra'
+  }
+
+  # Setup DH parameters
+  # Instead of using the dh parameters that are created by leap cli, it is more
+  # secure to generate new parameter files that will only be used for postfix,
+  # for each machine
+
+  include site_config::packages::gnutls
+
+  # Note, the file name is called dh_1024.pem, but we are generating 2048bit dh
+  # parameters Neither Postfix nor OpenSSL actually care about the size of the
+  # prime in "smtpd_tls_dh1024_param_file".  You can make it 2048 bits
+
+  exec { 'certtool-postfix-gendh-1024':
+    command => 'certtool --generate-dh-params --bits=2048 --outfile=/etc/postfix/smtpd_tls_dh_param.pem',
+    user    => root,
+    group   => root,
+    creates => '/etc/postfix/smtpd_tls_dh_param.pem',
+    require => Package['gnutls-bin']
+  }
+
+  # Make sure the dh params file has correct ownership and mode
+  file {
+    '/etc/postfix/smtpd_tls_dh_param.pem':
+      owner   => root,
+      group   => root,
+      mode    => '0600',
+      require => Exec['certtool-postfix-gendh-1024'];
+  }
+
+  postfix::config { 'smtpd_tls_dh1024_param_file':
+    value   => '/etc/postfix/smtpd_tls_dh_param.pem',
+    require => File['/etc/postfix/smtpd_tls_dh_param.pem']
   }
 
 }