diff options
| author | Silvio Rhatto <rhatto@riseup.net> | 2016-06-04 23:02:08 -0300 |
|---|---|---|
| committer | Silvio Rhatto <rhatto@riseup.net> | 2016-06-04 23:02:08 -0300 |
| commit | c32095df77012083a1b406622bca19e65d301fab (patch) | |
| tree | be67c6df534f6bc2c07a5a3edf6286771fb2f593 | |
| parent | 79a1a1933d459a446796e6e873ac69188266488a (diff) | |
| download | puppet-mail-c32095df77012083a1b406622bca19e65d301fab.tar.gz puppet-mail-c32095df77012083a1b406622bca19e65d301fab.tar.bz2 | |
Move to 2048 bit DH params using ssl::dhparams
| -rw-r--r-- | manifests/tls/hardened.pp | 42 |
1 files changed, 29 insertions, 13 deletions
diff --git a/manifests/tls/hardened.pp b/manifests/tls/hardened.pp index 735135c..cf7d1dd 100644 --- a/manifests/tls/hardened.pp +++ b/manifests/tls/hardened.pp @@ -15,28 +15,44 @@ class mail::tls::hardened inherits mail::tls { # DH parameters postfix::config { "smtpd_tls_eecdh_grade": value => 'strong' } + #postfix::config { "smtpd_tls_dh1024_param_file": + # value => '/etc/ssl/dhparams/dhparams_1024.pem', + # require => Exec['openssl-postfix-gendh-1024'], + #} + + # See https://leap.se/code/issues/4012 + # https://drownattack.com/postfix.html postfix::config { "smtpd_tls_dh1024_param_file": - value => '/etc/postfix/dh_1024.pem', - require => Exec['openssl-postfix-gendh-1024'], + value => '/etc/ssl/dhparams/dhparams_2048.pem', + require => Exec['openssl-postfix-gendh-2048'], + } + + # Old file locations + file { [ '/etc/postfix/dh_512.pem', '/etc/postfix/dh_1024.pem' ]: + ensure => absent, } postfix::config { "smtpd_tls_dh512_param_file": - value => '/etc/postfix/dh_512.pem', + value => '/etc/ssl/dhparams/dhparams_512.pem', require => Exec['openssl-postfix-gendh-512'], } - exec { 'openssl-postfix-gendh-512': - command => 'openssl gendh -out /etc/postfix/dh_512.pem -2 512', - user => root, - group => root, - creates => '/etc/postfix/dh_512.pem', + ssl::dhparams { 'openssl-postfix-gendh-512': + prefix => 'dh', + size => '512', + folder => '/etc/postfix', + } + + ssl::dhparams { 'openssl-postfix-gendh-1024': + prefix => 'dh', + size => '1024', + folder => '/etc/postfix', } - exec { 'openssl-postfix-gendh-1024': - command => 'openssl gendh -out /etc/postfix/dh_1024.pem -2 1024', - user => root, - group => root, - creates => '/etc/postfix/dh_1024.pem', + ssl::dhparams { 'openssl-postfix-gendh-2048': + prefix => 'dh', + size => '2048', + folder => '/etc/postfix', } postfix::config { "smtpd_tls_exclude_ciphers": |