summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2016-06-04 23:02:08 -0300
committerSilvio Rhatto <rhatto@riseup.net>2016-06-04 23:02:08 -0300
commitc32095df77012083a1b406622bca19e65d301fab (patch)
treebe67c6df534f6bc2c07a5a3edf6286771fb2f593
parent79a1a1933d459a446796e6e873ac69188266488a (diff)
downloadpuppet-mail-c32095df77012083a1b406622bca19e65d301fab.tar.gz
puppet-mail-c32095df77012083a1b406622bca19e65d301fab.tar.bz2
Move to 2048 bit DH params using ssl::dhparams
-rw-r--r--manifests/tls/hardened.pp42
1 files changed, 29 insertions, 13 deletions
diff --git a/manifests/tls/hardened.pp b/manifests/tls/hardened.pp
index 735135c..cf7d1dd 100644
--- a/manifests/tls/hardened.pp
+++ b/manifests/tls/hardened.pp
@@ -15,28 +15,44 @@ class mail::tls::hardened inherits mail::tls {
# DH parameters
postfix::config { "smtpd_tls_eecdh_grade": value => 'strong' }
+ #postfix::config { "smtpd_tls_dh1024_param_file":
+ # value => '/etc/ssl/dhparams/dhparams_1024.pem',
+ # require => Exec['openssl-postfix-gendh-1024'],
+ #}
+
+ # See https://leap.se/code/issues/4012
+ # https://drownattack.com/postfix.html
postfix::config { "smtpd_tls_dh1024_param_file":
- value => '/etc/postfix/dh_1024.pem',
- require => Exec['openssl-postfix-gendh-1024'],
+ value => '/etc/ssl/dhparams/dhparams_2048.pem',
+ require => Exec['openssl-postfix-gendh-2048'],
+ }
+
+ # Old file locations
+ file { [ '/etc/postfix/dh_512.pem', '/etc/postfix/dh_1024.pem' ]:
+ ensure => absent,
}
postfix::config { "smtpd_tls_dh512_param_file":
- value => '/etc/postfix/dh_512.pem',
+ value => '/etc/ssl/dhparams/dhparams_512.pem',
require => Exec['openssl-postfix-gendh-512'],
}
- exec { 'openssl-postfix-gendh-512':
- command => 'openssl gendh -out /etc/postfix/dh_512.pem -2 512',
- user => root,
- group => root,
- creates => '/etc/postfix/dh_512.pem',
+ ssl::dhparams { 'openssl-postfix-gendh-512':
+ prefix => 'dh',
+ size => '512',
+ folder => '/etc/postfix',
+ }
+
+ ssl::dhparams { 'openssl-postfix-gendh-1024':
+ prefix => 'dh',
+ size => '1024',
+ folder => '/etc/postfix',
}
- exec { 'openssl-postfix-gendh-1024':
- command => 'openssl gendh -out /etc/postfix/dh_1024.pem -2 1024',
- user => root,
- group => root,
- creates => '/etc/postfix/dh_1024.pem',
+ ssl::dhparams { 'openssl-postfix-gendh-2048':
+ prefix => 'dh',
+ size => '2048',
+ folder => '/etc/postfix',
}
postfix::config { "smtpd_tls_exclude_ciphers":