From a457f610aca8544b4c9e3a3f4ddcc4d00a05baf6 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@leap.se>
Date: Thu, 26 Sep 2013 14:53:37 -0400
Subject: Add client-side TLS configuration (#3868)

Change-Id: I0b82930f6f6a453e57f1d57fd8b5df78d464e206
---
 puppet/modules/site_postfix/manifests/mx/tls.pp | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

(limited to 'puppet/modules/site_postfix')

diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp
index 34df72bb..89b63ba1 100644
--- a/puppet/modules/site_postfix/manifests/mx/tls.pp
+++ b/puppet/modules/site_postfix/manifests/mx/tls.pp
@@ -17,3 +17,24 @@ class site_postfix::mx::tls {
   }
 
 }
+  # smtp TLS
+  postfix::config {
+    'smtp_use_tls':        value  => 'yes';
+    'smtp_tls_CApath':     value  => '/etc/ssl/certs/';
+    'smtp_tls_CAfile':     value  => $ca_path;
+    'smtp_tls_cert_file':  value  => $cert_path;
+    'smtp_tls_key_file':   value  => $key_path;
+    'smtp_tls_ask_ccert':  value  => 'yes';
+    'smtp_tls_loglevel':   value  => '1';
+    'smtp_tls_exclude_ciphers':
+      value => 'aNULL, MD5, DES';
+    # upstream default is md5 (since 2.5 and older used it), we force sha1
+    'smtp_tls_fingerprint_digest':
+      value => 'sha1';
+    'smtp_tls_session_cache_database':
+      value => 'btree:${queue_directory}/smtp_cache';
+    'smtp_tls_security_level':
+      value  => 'may';
+  }
+
+
-- 
cgit v1.2.3