class mail::tls::hardened inherits mail::tls {
  # Hardened config
  postfix::config { "smtpd_tls_ciphers":                value => 'high' }
  postfix::config { "smtp_tls_protocols":               value => '!SSLv2, !SSLv3' }
  postfix::config { "smtp_tls_mandatory_protocols":     value => '!SSLv2, !SSLv3' }
  postfix::config { "smtp_tls_note_starttls_offer":     value => 'yes' }
  postfix::config { "smtpd_tls_received_header":        value => 'yes' }
  postfix::config { "smtpd_tls_protocols":              value => '!SSLv2, !SSLv3' }
  postfix::config { "smtpd_tls_mandatory_protocols":    value => '!SSLv2, !SSLv3' }
  postfix::config { "smtpd_tls_session_cache_database": value => 'btree:${data_directory}/smtpd_scache' }
  postfix::config { "smtp_tls_session_cache_database":  value => 'btree:${data_directory}/smtp_scache' }
  postfix::config { "tls_ssl_options":                  value => 'no_compression' }
  postfix::config { "smtpd_tls_loglevel":               value => '1' }

  # DH parameters
  postfix::config { "smtpd_tls_eecdh_grade": value => 'strong' }

  postfix::config { "smtpd_tls_dh1024_param_file":
    value   => '/etc/postfix/dh_1024.pem',
    require => Exec['openssl-postfix-gendh-1024'],
  }

  postfix::config { "smtpd_tls_dh512_param_file":
    value   => '/etc/postfix/dh_512.pem',
    require => Exec['openssl-postfix-gendh-512'],
  }

  exec { 'openssl-postfix-gendh-512':
    command => 'openssl gendh -out /etc/postfix/dh_512.pem -2 512',
    user    => root,
    group   => root,
    creates => '/etc/postfix/dh_512.pem',
  }

  exec { 'openssl-postfix-gendh-1024':
    command => 'openssl gendh -out /etc/postfix/dh_1024.pem -2 1024',
    user    => root,
    group   => root,
    creates => '/etc/postfix/dh_1024.pem',
  }

  postfix::config { "smtpd_tls_exclude_ciphers":
    value => 'aNULL, MD5, DES, 3DES, DES-CBC3-SHA, RC4-SHA, AES256-SHA, AES128-SHA',
  }
}