bastion / postfix: disable tls_resue for now

Something is broken with smtp_tls_connection_reuse = yes, so disable it for now. Also, setup a tls_policy map file and tell it to not use tls for mx2.redhat.com. The normal smtp connection reuse works just fine, so this will keep mail flowing until we can one day figure out why tls connection reuse is busted. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2022-05-24 12:08:58 -07:00 · 2022-05-24 12:08:58 -07:00 · a1af68173d
commit a1af68173d
parent 8962731dbc
3 changed files with 19 additions and 8 deletions
--- a/roles/base/files/postfix/main.cf/main.cf.gateway
+++ b/roles/base/files/postfix/main.cf/main.cf.gateway
@ -747,11 +747,6 @@ smtp_tls_CApath = /etc/pki/tls/certs
 #
 smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

-# Use TLS if this is supported by the remote SMTP server, otherwise use
-# plaintext (opportunistic TLS outbound).
-#
-smtp_tls_security_level = may
-
 ## TLS
 # enable opportunistic TLS support in the SMTP server
 smtpd_use_tls = yes
@ -772,7 +767,6 @@ smtpd_tls_eecdh_grade = ultra
 smtp_tls_fingerprint_digest=sha1
 smtp_tls_note_starttls_offer = yes
 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
-smtp_tls_security_level = may
 smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
 smtp_tls_mandatory_ciphers = high
 smtp_tls_mandatory_exclude_ciphers= aNULL, MD5, RC4
@ -780,10 +774,11 @@ smtp_tls_loglevel = 1
 smtp_tls_cert_file = /etc/pki/tls/certs/gateway.crt
 smtp_tls_key_file = /etc/pki/tls/private/gateway.key
 smtp_tls_CAfile  = /etc/pki/tls/certs/ca-bundle.crt
-smtp_tls_connection_reuse = yes
-smtp_connection_cache_destinations = mx2.redhat.com,gmail.com,google.com,scrye.com
+smtp_tls_connection_reuse = no
+smtp_connection_cache_destinations = mx2.redhat.com,gmail.com,google.com,scrye.com,redhat.com
 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
 smtp_tls_session_cache_timeout = 3600s
+smtp_tls_policy_maps = hash:/etc/postfix/tls_policy                                                 
 ## End smtp_tls
 ## General TLS
 tls_random_source                       = dev:/dev/urandom
--- a/roles/base/files/postfix/tls_policy.gateway
+++ b/roles/base/files/postfix/tls_policy.gateway
@ -0,0 +1 @@
+redhat.com  may
--- a/roles/base/tasks/postfix.yml
+++ b/roles/base/tasks/postfix.yml
@ -30,6 +30,21 @@
  - config
  - base

+- name: install /etc/postfix/tls_policy file
+  copy: src={{ item }} dest=/etc/postfix/tls_policy mode=0644
+  with_first_found:
+    - "postfix/master.cf/master.cf.{{ inventory_hostname }}"
+    - "postfix/master.cf/master.cf.{{ host_group }}"
+    - "postfix/master.cf/master.cf.{{ postfix_group }}"
+    - "postfix/master.cf/master.cf"
+  when: inventory_hostname.startswith(('bastion'))
+  notify:
+  - restart postfix
+  tags:
+  - postfix
+  - config
+  - base
+
 - name: Deploy sender_access file
  copy: src="{{private}}/files/smtpd/sender_access.{{postfix_group}}" dest="/etc/postfix/sender_access"
  when: postfix_group == "smtp-mm" or postfix_group == "mailman" or postfix_group == "gateway"