Enhance default TLS configuration

Increase default security settings according to upstream documentation
tough it is by no mean perfect.
This commit is contained in:
Gilles Dartiguelongue 2015-08-23 00:27:03 +02:00
parent 2e0e9cdd27
commit 609737b0cc

View File

@ -56,10 +56,18 @@
# TLS parameters (http://www.postfix.org/TLS_README.html) # TLS parameters (http://www.postfix.org/TLS_README.html)
# Recipient settings # Recipient settings
{{ set_parameter('smtpd_use_tls') }} {{ set_parameter('smtpd_use_tls') }}
{{ set_parameter('smtpd_tls_loglevel', 1) }}
{{ set_parameter('smtpd_tls_security_level', 'may') }}
{{ set_parameter('smtpd_tls_cert_file', '/etc/ssl/certs/ssl-cert-snakeoil.pem') }} {{ set_parameter('smtpd_tls_cert_file', '/etc/ssl/certs/ssl-cert-snakeoil.pem') }}
{{ set_parameter('smtpd_tls_key_file', '/etc/ssl/private/ssl-cert-snakeoil.key') }} {{ set_parameter('smtpd_tls_key_file', '/etc/ssl/private/ssl-cert-snakeoil.key') }}
{{ set_parameter('smtpd_tls_session_cache_database', 'btree:${data_directory}/smtpd_scache') }} {{ set_parameter('smtpd_tls_session_cache_database', 'btree:${data_directory}/smtpd_scache') }}
{{ set_parameter('smtpd_tls_mandatory_ciphers', 'high') }}
{{ set_parameter('smtpd_tls_mandatory_exclude_ciphers', ['aNULL', 'MD5']) }}
{{ set_parameter('smtpd_tls_mandatory_protocols', ['!SSLv2', '!SSLv3']) }}
{{ set_parameter('tls_preempt_cipherlist', 'yes') }}
# Relay/Sender settings # Relay/Sender settings
{{ set_parameter('smtp_tls_loglevel', 1) }}
{{ set_parameter('smtp_tls_security_level', 'may') }}
{{ set_parameter('smtp_tls_session_cache_database', 'btree:${data_directory}/smtp_scache') }} {{ set_parameter('smtp_tls_session_cache_database', 'btree:${data_directory}/smtp_scache') }}
{%- endif %} {%- endif %}