summaryrefslogtreecommitdiff
path: root/manifests
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2013-07-16 16:46:00 -0300
committerSilvio Rhatto <rhatto@riseup.net>2013-07-16 16:46:00 -0300
commitd75ba57fa046ac72c8f4b6fc3d1219103cd76e6d (patch)
treef4aad7af993fb17e14238e4e90ba9b51551a0d97 /manifests
parent0fb31b3950feee65511f029b2626b5bc816d1f10 (diff)
downloadpuppet-mail-d75ba57fa046ac72c8f4b6fc3d1219103cd76e6d.tar.gz
puppet-mail-d75ba57fa046ac72c8f4b6fc3d1219103cd76e6d.tar.bz2
Adding mail::tls::hardened
Diffstat (limited to 'manifests')
-rw-r--r--manifests/tls/hardened.pp41
1 files changed, 41 insertions, 0 deletions
diff --git a/manifests/tls/hardened.pp b/manifests/tls/hardened.pp
new file mode 100644
index 0000000..6717302
--- /dev/null
+++ b/manifests/tls/hardened.pp
@@ -0,0 +1,41 @@
+class mail::tls::hardened inherits mail::tls {
+ # Hardened config
+ postfix::config { "smtpd_tls_ciphers": value => 'high' }
+ postfix::config { "smtp_tls_protocols": value => '!SSLv2, SSLv3, TLSv1' }
+ postfix::config { "smtp_tls_note_starttls_offer": value => 'yes' }
+ postfix::config { "smtpd_tls_received_header": value => 'yes' }
+ postfix::config { "smtpd_tls_mandatory_protocols": value => 'TLSv1' }
+ postfix::config { "smtpd_tls_session_cache_database": value => 'btree:${queue_directory}/smtpd_scache' }
+ postfix::config { "smtp_tls_session_cache_database": value => 'btree:${queue_directory}/smtp_scache' }
+
+ # DH parameters
+ postfix::config { "smtpd_tls_eecdh_grade": value => 'strong' }
+
+ postfix::config { "smtpd_tls_dh1024_param_file":
+ value => '/etc/postfix/dh_1024.pem'
+ require => Exec['openssl-postfix-gendh-1024'],
+ }
+
+ postfix::config { "smtpd_tls_dh512_param_file":
+ value => '/etc/postfix/dh_512.pem',
+ require => Exec['openssl-postfix-gendh-512'],
+ }
+
+ exec { 'openssl-postfix-gendh-512':
+ command => 'openssl gendh -out /etc/postfix/dh_512.pem -2 512',
+ owner => root,
+ group => root,
+ creates => '/etc/postfix/dh_512.pem',
+ }
+
+ exec { 'openssl-postfix-gendh-1024':
+ command => 'openssl gendh -out /etc/postfix/dh_1024.pem -2 1024',
+ owner => root,
+ group => root,
+ creates => '/etc/postfix/dh_1024.pem',
+ }
+
+ postfix::config { "smtpd_tls_exclude_ciphers":
+ value => 'aNULL, MD5, DES, 3DES, DES-CBC3-SHA, RC4-SHA, AES256-SHA, AES128-SHA',
+ }
+}