diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2013-07-16 16:46:00 -0300 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2013-07-16 16:46:00 -0300 |
commit | d75ba57fa046ac72c8f4b6fc3d1219103cd76e6d (patch) | |
tree | f4aad7af993fb17e14238e4e90ba9b51551a0d97 /manifests | |
parent | 0fb31b3950feee65511f029b2626b5bc816d1f10 (diff) | |
download | puppet-mail-d75ba57fa046ac72c8f4b6fc3d1219103cd76e6d.tar.gz puppet-mail-d75ba57fa046ac72c8f4b6fc3d1219103cd76e6d.tar.bz2 |
Adding mail::tls::hardened
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/tls/hardened.pp | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/manifests/tls/hardened.pp b/manifests/tls/hardened.pp new file mode 100644 index 0000000..6717302 --- /dev/null +++ b/manifests/tls/hardened.pp @@ -0,0 +1,41 @@ +class mail::tls::hardened inherits mail::tls { + # Hardened config + postfix::config { "smtpd_tls_ciphers": value => 'high' } + postfix::config { "smtp_tls_protocols": value => '!SSLv2, SSLv3, TLSv1' } + postfix::config { "smtp_tls_note_starttls_offer": value => 'yes' } + postfix::config { "smtpd_tls_received_header": value => 'yes' } + postfix::config { "smtpd_tls_mandatory_protocols": value => 'TLSv1' } + postfix::config { "smtpd_tls_session_cache_database": value => 'btree:${queue_directory}/smtpd_scache' } + postfix::config { "smtp_tls_session_cache_database": value => 'btree:${queue_directory}/smtp_scache' } + + # DH parameters + postfix::config { "smtpd_tls_eecdh_grade": value => 'strong' } + + postfix::config { "smtpd_tls_dh1024_param_file": + value => '/etc/postfix/dh_1024.pem' + require => Exec['openssl-postfix-gendh-1024'], + } + + postfix::config { "smtpd_tls_dh512_param_file": + value => '/etc/postfix/dh_512.pem', + require => Exec['openssl-postfix-gendh-512'], + } + + exec { 'openssl-postfix-gendh-512': + command => 'openssl gendh -out /etc/postfix/dh_512.pem -2 512', + owner => root, + group => root, + creates => '/etc/postfix/dh_512.pem', + } + + exec { 'openssl-postfix-gendh-1024': + command => 'openssl gendh -out /etc/postfix/dh_1024.pem -2 1024', + owner => root, + group => root, + creates => '/etc/postfix/dh_1024.pem', + } + + postfix::config { "smtpd_tls_exclude_ciphers": + value => 'aNULL, MD5, DES, 3DES, DES-CBC3-SHA, RC4-SHA, AES256-SHA, AES128-SHA', + } +} |