diff options
| -rw-r--r-- | manifests/tls/hardened.pp | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/manifests/tls/hardened.pp b/manifests/tls/hardened.pp new file mode 100644 index 0000000..6717302 --- /dev/null +++ b/manifests/tls/hardened.pp @@ -0,0 +1,41 @@ +class mail::tls::hardened inherits mail::tls { + # Hardened config + postfix::config { "smtpd_tls_ciphers": value => 'high' } + postfix::config { "smtp_tls_protocols": value => '!SSLv2, SSLv3, TLSv1' } + postfix::config { "smtp_tls_note_starttls_offer": value => 'yes' } + postfix::config { "smtpd_tls_received_header": value => 'yes' } + postfix::config { "smtpd_tls_mandatory_protocols": value => 'TLSv1' } + postfix::config { "smtpd_tls_session_cache_database": value => 'btree:${queue_directory}/smtpd_scache' } + postfix::config { "smtp_tls_session_cache_database": value => 'btree:${queue_directory}/smtp_scache' } + + # DH parameters + postfix::config { "smtpd_tls_eecdh_grade": value => 'strong' } + + postfix::config { "smtpd_tls_dh1024_param_file": + value => '/etc/postfix/dh_1024.pem' + require => Exec['openssl-postfix-gendh-1024'], + } + + postfix::config { "smtpd_tls_dh512_param_file": + value => '/etc/postfix/dh_512.pem', + require => Exec['openssl-postfix-gendh-512'], + } + + exec { 'openssl-postfix-gendh-512': + command => 'openssl gendh -out /etc/postfix/dh_512.pem -2 512', + owner => root, + group => root, + creates => '/etc/postfix/dh_512.pem', + } + + exec { 'openssl-postfix-gendh-1024': + command => 'openssl gendh -out /etc/postfix/dh_1024.pem -2 1024', + owner => root, + group => root, + creates => '/etc/postfix/dh_1024.pem', + } + + postfix::config { "smtpd_tls_exclude_ciphers": + value => 'aNULL, MD5, DES, 3DES, DES-CBC3-SHA, RC4-SHA, AES256-SHA, AES128-SHA', + } +} |