class mail::tls::hardened inherits mail::tls { # Hardened config postfix::config { "smtpd_tls_ciphers": value => 'high' } postfix::config { "smtp_tls_protocols": value => '!SSLv2, !SSLv3' } postfix::config { "smtp_tls_mandatory_protocols": value => '!SSLv2, !SSLv3' } postfix::config { "smtp_tls_note_starttls_offer": value => 'yes' } postfix::config { "smtpd_tls_received_header": value => 'yes' } postfix::config { "smtpd_tls_protocols": value => '!SSLv2, !SSLv3' } postfix::config { "smtpd_tls_mandatory_protocols": value => '!SSLv2, !SSLv3' } postfix::config { "smtpd_tls_session_cache_database": value => 'btree:${data_directory}/smtpd_scache' } postfix::config { "smtp_tls_session_cache_database": value => 'btree:${data_directory}/smtp_scache' } postfix::config { "tls_ssl_options": value => 'no_compression' } postfix::config { "smtpd_tls_loglevel": value => '1' } # DH parameters postfix::config { "smtpd_tls_eecdh_grade": value => 'strong' } #postfix::config { "smtpd_tls_dh1024_param_file": # value => '/etc/ssl/dhparams/dhparams_1024.pem', # require => Exec['openssl-postfix-gendh-1024'], #} # See https://leap.se/code/issues/4012 # https://drownattack.com/postfix.html postfix::config { "smtpd_tls_dh1024_param_file": value => '/etc/ssl/dhparams/dhparams_2048.pem', require => Exec['openssl-postfix-gendh-2048'], } # Old file locations file { [ '/etc/postfix/dh_512.pem', '/etc/postfix/dh_1024.pem' ]: ensure => absent, } postfix::config { "smtpd_tls_dh512_param_file": value => '/etc/ssl/dhparams/dhparams_512.pem', require => Exec['openssl-postfix-gendh-512'], } ssl::dhparams { 'openssl-postfix-gendh-512': size => '512', } ssl::dhparams { 'openssl-postfix-gendh-1024': size => '1024', } ssl::dhparams { 'openssl-postfix-gendh-2048': size => '2048', } postfix::config { "smtpd_tls_exclude_ciphers": value => 'aNULL, MD5, DES, 3DES, DES-CBC3-SHA, RC4-SHA, AES256-SHA, AES128-SHA', } }