From ddcab83dda101ee335bbf37451f37e2bfe358c7f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 29 Aug 2013 16:14:53 -0400 Subject: Make TLS-required smtps (465) be port for sending SMTP. This is preferred over 25 because that is typically blocked, and we cannot force TLS on that port due to other MTAs not being configured for this century. We don't use submission (568) because that uses STARTTLS, and the STARTTLS banner can easily be stripped by an adversary. (#3604) . enable smtps (port 465) for client submission over TLS, and require that TLS is enabled . add 465 to the allowed open ports in the firewall . change the smtp-service.json to use 465 instead of 25 note: I did not use the 'use_smtps' parameter that is available in the postfix class because it added some options that we do not want/need. Change-Id: I0040eb2dff6008a1c830d59df9963eb83dc9ea02 --- puppet/modules/site_postfix/manifests/mx.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index ed5b3832..18815f70 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -35,6 +35,7 @@ class site_postfix::mx { preseed => true, root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', + mastercf_tail => "smtps inet n - - - - smtpd\n -o smtpd_tls_wrappermode=yes\n -o smtpd_tls_security_level=encrypt\n", require => [ X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] } -- cgit v1.2.3