From ccdbd41de5b996c8cbd2476bfc7054affb1d0625 Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Mon, 20 Oct 2014 13:33:55 -0200
Subject: Disabling SSLv3 in postfix

---
 manifests/tls/hardened.pp | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'manifests')

diff --git a/manifests/tls/hardened.pp b/manifests/tls/hardened.pp
index 67f68da..63306f5 100644
--- a/manifests/tls/hardened.pp
+++ b/manifests/tls/hardened.pp
@@ -1,10 +1,12 @@
 class mail::tls::hardened inherits mail::tls {
   # Hardened config
   postfix::config { "smtpd_tls_ciphers":                value => 'high' }
-  postfix::config { "smtp_tls_protocols":               value => '!SSLv2, SSLv3, TLSv1' }
+  postfix::config { "smtp_tls_protocols":               value => '!SSLv2, !SSLv3' }
+  postfix::config { "smtp_tls_mandatory_protocols"      value => '!SSLv2, !SSLv3' }
   postfix::config { "smtp_tls_note_starttls_offer":     value => 'yes' }
   postfix::config { "smtpd_tls_received_header":        value => 'yes' }
-  postfix::config { "smtpd_tls_mandatory_protocols":    value => 'TLSv1' }
+  postfix::config { "smtpd_tls_protocols":              value => '!SSLv2, !SSLv3' }
+  postfix::config { "smtpd_tls_mandatory_protocols":    value => '!SSLv2, !SSLv3' }
   postfix::config { "smtpd_tls_session_cache_database": value => 'btree:${data_directory}/smtpd_scache' }
   postfix::config { "smtp_tls_session_cache_database":  value => 'btree:${data_directory}/smtp_scache' }
 
-- 
cgit v1.2.3