From f531ec536a55d756262329f516f1b3bdccf4f0b4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 26 Sep 2013 17:20:19 -0400 Subject: setup smtpd_tls_eecdh_grade to 'ultra' and configure the smtpd_tls_dh1024_param file, after generating it (#3953) Change-Id: I8e88a4862cda052c2f0ca0149f1d0753c7c83cb5 --- puppet/modules/site_postfix/manifests/mx/tls.pp | 31 +++++++++++++++++++++++++ 1 file changed, 31 insertions(+) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 34df72bb..9122a974 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -14,6 +14,37 @@ class site_postfix::mx::tls { 'smtpd_tls_ask_ccert': value => 'yes'; 'smtpd_tls_security_level': value => 'may'; + 'smtpd_tls_eecdh_grade': + value => 'ultra' + } + + # Setup DH parameters + # Instead of using the dh parameters that are created by leap cli, it is more + # secure to generate new parameter files that will only be used for postfix, + # for each machine + + include site_config::packages::gnutls + + exec { 'certtool-postfix-gendh-1024': + command => 'certtool --generate-dh-params --bits=1024 --outfile=/etc/postfix/dh_1024.pem', + user => root, + group => root, + creates => '/etc/postfix/dh_1024.pem', + require => Package['gnutls-bin'] + } + + # Make sure the dh params file has correct ownership and mode + file { + '/etc/postfix/dh_1024.pem': + owner => root, + group => root, + mode => '0600', + require => Exec['certtool-postfix-gendh-1024']; + } + + postfix::config { 'smtpd_tls_dh1024_param_file': + value => '/etc/postfix/dh_1024.pem', + require => File['/etc/postfix/dh_1024.pem'] } } -- cgit v1.2.3 From 56f7b18d03f5ea337a68d653b422834c9283cfab Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 3 Oct 2013 13:16:43 -0400 Subject: It turns out postfix's variable for 1024bit DH parameters can actually take a file of arbitrary length (#4012) Neither Postfix nor OpenSSL actually care about the size of the prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits Change-Id: Id60deec93547e7df6dfc414209afaf9d53c710b5 --- puppet/modules/site_postfix/manifests/mx/tls.pp | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'puppet/modules/site_postfix') diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 9122a974..5e399f5c 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -25,17 +25,21 @@ class site_postfix::mx::tls { include site_config::packages::gnutls + # Note, the file name is called dh_1024.pem, but we are generating 2048bit dh + # parameters Neither Postfix nor OpenSSL actually care about the size of the + # prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits + exec { 'certtool-postfix-gendh-1024': - command => 'certtool --generate-dh-params --bits=1024 --outfile=/etc/postfix/dh_1024.pem', + command => 'certtool --generate-dh-params --bits=2048 --outfile=/etc/postfix/smtpd_tls_dh_param.pem', user => root, group => root, - creates => '/etc/postfix/dh_1024.pem', + creates => '/etc/postfix/smtpd_tls_dh_param.pem', require => Package['gnutls-bin'] } # Make sure the dh params file has correct ownership and mode file { - '/etc/postfix/dh_1024.pem': + '/etc/postfix/smtpd_tls_dh_param.pem': owner => root, group => root, mode => '0600', @@ -43,8 +47,8 @@ class site_postfix::mx::tls { } postfix::config { 'smtpd_tls_dh1024_param_file': - value => '/etc/postfix/dh_1024.pem', - require => File['/etc/postfix/dh_1024.pem'] + value => '/etc/postfix/smtpd_tls_dh_param.pem', + require => File['/etc/postfix/smtpd_tls_dh_param.pem'] } } -- cgit v1.2.3