Adding mail::tls::hardened

1 files changed, 41 insertions, 0 deletions

diff --git a/manifests/tls/hardened.pp b/manifests/tls/hardened.pp
new file mode 100644
index 0000000..6717302
--- /dev/null
+++ b/manifests/tls/hardened.pp
@@ -0,0 +1,41 @@
+class mail::tls::hardened inherits mail::tls {
+  # Hardened config
+  postfix::config { "smtpd_tls_ciphers":                value => 'high' }
+  postfix::config { "smtp_tls_protocols":               value => '!SSLv2, SSLv3, TLSv1' }
+  postfix::config { "smtp_tls_note_starttls_offer":     value => 'yes' }
+  postfix::config { "smtpd_tls_received_header":        value => 'yes' }
+  postfix::config { "smtpd_tls_mandatory_protocols":    value => 'TLSv1' }
+  postfix::config { "smtpd_tls_session_cache_database": value => 'btree:${queue_directory}/smtpd_scache' }
+  postfix::config { "smtp_tls_session_cache_database":  value => 'btree:${queue_directory}/smtp_scache' }
+
+  # DH parameters
+  postfix::config { "smtpd_tls_eecdh_grade":       value => 'strong' }
+
+  postfix::config { "smtpd_tls_dh1024_param_file":
+    value   => '/etc/postfix/dh_1024.pem'
+    require => Exec['openssl-postfix-gendh-1024'],
+  }
+
+  postfix::config { "smtpd_tls_dh512_param_file":
+    value   => '/etc/postfix/dh_512.pem',
+    require => Exec['openssl-postfix-gendh-512'],
+  }
+
+  exec { 'openssl-postfix-gendh-512':
+    command => 'openssl gendh -out /etc/postfix/dh_512.pem -2 512',
+    owner   => root,
+    group   => root,
+    creates => '/etc/postfix/dh_512.pem',
+  }
+
+  exec { 'openssl-postfix-gendh-1024':
+    command => 'openssl gendh -out /etc/postfix/dh_1024.pem -2 1024',
+    owner   => root,
+    group   => root,
+    creates => '/etc/postfix/dh_1024.pem',
+  }
+
+  postfix::config { "smtpd_tls_exclude_ciphers":
+    value => 'aNULL, MD5, DES, 3DES, DES-CBC3-SHA, RC4-SHA, AES256-SHA, AES128-SHA',
+  }
+}