From a1af68173d403e8dd49e8b27024da38f643be430 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 24 May 2022 12:08:58 -0700 Subject: [PATCH] bastion / postfix: disable tls_resue for now Something is broken with smtp_tls_connection_reuse = yes, so disable it for now. Also, setup a tls_policy map file and tell it to not use tls for mx2.redhat.com. The normal smtp connection reuse works just fine, so this will keep mail flowing until we can one day figure out why tls connection reuse is busted. Signed-off-by: Kevin Fenzi --- roles/base/files/postfix/main.cf/main.cf.gateway | 11 +++-------- roles/base/files/postfix/tls_policy.gateway | 1 + roles/base/tasks/postfix.yml | 15 +++++++++++++++ 3 files changed, 19 insertions(+), 8 deletions(-) create mode 100644 roles/base/files/postfix/tls_policy.gateway diff --git a/roles/base/files/postfix/main.cf/main.cf.gateway b/roles/base/files/postfix/main.cf/main.cf.gateway index 1493832d61..413a9a7311 100644 --- a/roles/base/files/postfix/main.cf/main.cf.gateway +++ b/roles/base/files/postfix/main.cf/main.cf.gateway @@ -747,11 +747,6 @@ smtp_tls_CApath = /etc/pki/tls/certs # smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt -# Use TLS if this is supported by the remote SMTP server, otherwise use -# plaintext (opportunistic TLS outbound). -# -smtp_tls_security_level = may - ## TLS # enable opportunistic TLS support in the SMTP server smtpd_use_tls = yes @@ -772,7 +767,6 @@ smtpd_tls_eecdh_grade = ultra smtp_tls_fingerprint_digest=sha1 smtp_tls_note_starttls_offer = yes smtp_tls_policy_maps = hash:/etc/postfix/tls_policy -smtp_tls_security_level = may smtp_tls_mandatory_protocols = !SSLv2,!SSLv3 smtp_tls_mandatory_ciphers = high smtp_tls_mandatory_exclude_ciphers= aNULL, MD5, RC4 @@ -780,10 +774,11 @@ smtp_tls_loglevel = 1 smtp_tls_cert_file = /etc/pki/tls/certs/gateway.crt smtp_tls_key_file = /etc/pki/tls/private/gateway.key smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt -smtp_tls_connection_reuse = yes -smtp_connection_cache_destinations = mx2.redhat.com,gmail.com,google.com,scrye.com +smtp_tls_connection_reuse = no +smtp_connection_cache_destinations = mx2.redhat.com,gmail.com,google.com,scrye.com,redhat.com smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache smtp_tls_session_cache_timeout = 3600s +smtp_tls_policy_maps = hash:/etc/postfix/tls_policy ## End smtp_tls ## General TLS tls_random_source = dev:/dev/urandom diff --git a/roles/base/files/postfix/tls_policy.gateway b/roles/base/files/postfix/tls_policy.gateway new file mode 100644 index 0000000000..92d4dea51c --- /dev/null +++ b/roles/base/files/postfix/tls_policy.gateway @@ -0,0 +1 @@ +redhat.com may diff --git a/roles/base/tasks/postfix.yml b/roles/base/tasks/postfix.yml index 63708ba49a..2fcee58671 100644 --- a/roles/base/tasks/postfix.yml +++ b/roles/base/tasks/postfix.yml @@ -30,6 +30,21 @@ - config - base +- name: install /etc/postfix/tls_policy file + copy: src={{ item }} dest=/etc/postfix/tls_policy mode=0644 + with_first_found: + - "postfix/master.cf/master.cf.{{ inventory_hostname }}" + - "postfix/master.cf/master.cf.{{ host_group }}" + - "postfix/master.cf/master.cf.{{ postfix_group }}" + - "postfix/master.cf/master.cf" + when: inventory_hostname.startswith(('bastion')) + notify: + - restart postfix + tags: + - postfix + - config + - base + - name: Deploy sender_access file copy: src="{{private}}/files/smtpd/sender_access.{{postfix_group}}" dest="/etc/postfix/sender_access" when: postfix_group == "smtp-mm" or postfix_group == "mailman" or postfix_group == "gateway"