From f69f7ca97791945d0bbe61eda84e69a8ed460e04 Mon Sep 17 00:00:00 2001
From: Micah <micah@leap.se>
Date: Sun, 6 Mar 2016 09:23:34 -0500
Subject: Set MUA required ciphers, tighten up the mandatory protocols (#4232)

Change-Id: I328aa37b393817e1764ea7e635fcefc801adbbf4
---
 puppet/modules/site_postfix/manifests/mx.pp           |  1 +
 puppet/modules/site_postfix/manifests/mx/smtp_tls.pp  | 10 ++++++++++
 puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp | 11 +++++++++++
 3 files changed, 22 insertions(+)

diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 3230d4f0..7837f415 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -119,6 +119,7 @@ class site_postfix::mx {
 smtps     inet  n       -       -       -       -       smtpd
   -o smtpd_tls_wrappermode=yes
   -o smtpd_tls_security_level=encrypt
+  -o tls_preempt_cipherlist=yes
 ${smtpd_relay_restrictions}  -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions
   -o smtpd_helo_restrictions=\$smtps_helo_restrictions
   -o smtpd_client_restrictions=
diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
index 4eb80dd6..b27c0e3c 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
@@ -28,5 +28,15 @@ class site_postfix::mx::smtp_tls {
     # see issue #4011
     'smtp_tls_protocols':
       value => '!SSLv2, !SSLv3';
+    'smtp_tls_mandatory_protocols':
+      value => '!SSLv2, !SSLv3';
+    'tls_ssl_options':
+      value => 'NO_COMPRESSION';
+    # We can switch between the different postfix internal list of ciphers by
+    # using smtpd_tls_ciphers.  For server-to-server connections we leave this
+    # at its default because of opportunistic encryption combined with many mail
+    # servers only support outdated protocols and ciphers and if we are too
+    # strict with required ciphers, then connections *will* fall-back to
+    # plain-text. Bad ciphers are still better than plain text transmission.
   }
 }
diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp
index 9fed3874..02a59942 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp
@@ -20,6 +20,17 @@ class site_postfix::mx::smtpd_tls {
       value => 'ultra';
     'smtpd_tls_session_cache_database':
       value => 'btree:${data_directory}/smtpd_scache';
+    # see issue #4011
+    'smtpd_tls_mandatory_protocols':
+      value => '!SSLv2, !SSLv3';
+    'smtpd_tls_protocols':
+      value => '!SSLv2, !SSLv3';
+    # For connections to MUAs, TLS is mandatory and the ciphersuite is modified.
+    # MX and SMTP client configuration
+    'smtpd_tls_mandatory_ciphers':
+      value => 'high';
+    'tls_high_cipherlist':
+      value => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
   }
 
   # Setup DH parameters
-- 
cgit v1.2.3