Infrastructure/ansible
3
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

bastion / postfix: disable tls_resue for now

Browse source 
Something is broken with smtp_tls_connection_reuse = yes, so disable it
for now. Also, setup a tls_policy map file and tell it to not use tls
for mx2.redhat.com. The normal smtp connection reuse works just fine, so
this will keep mail flowing until we can one day figure out why tls
connection reuse is busted.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi 2022-05-24 12:08:58 -07:00
parent 8962731dbc
commit a1af68173d
3 changed files with 19 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

11
roles/base/files/postfix/main.cf/main.cf.gateway
View file

@ -747,11 +747,6 @@ smtp_tls_CApath = /etc/pki/tls/certs
# #
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
# Use TLS if this is supported by the remote SMTP server, otherwise use
# plaintext (opportunistic TLS outbound).
#
smtp_tls_security_level = may
## TLS ## TLS
# enable opportunistic TLS support in the SMTP server # enable opportunistic TLS support in the SMTP server
smtpd_use_tls = yes smtpd_use_tls = yes
@ -772,7 +767,6 @@ smtpd_tls_eecdh_grade = ultra
smtp_tls_fingerprint_digest=sha1 smtp_tls_fingerprint_digest=sha1
smtp_tls_note_starttls_offer = yes smtp_tls_note_starttls_offer = yes
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_security_level = may
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3 smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_mandatory_ciphers = high smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers= aNULL, MD5, RC4 smtp_tls_mandatory_exclude_ciphers= aNULL, MD5, RC4
@ -780,10 +774,11 @@ smtp_tls_loglevel = 1
smtp_tls_cert_file = /etc/pki/tls/certs/gateway.crt smtp_tls_cert_file = /etc/pki/tls/certs/gateway.crt
smtp_tls_key_file = /etc/pki/tls/private/gateway.key smtp_tls_key_file = /etc/pki/tls/private/gateway.key
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_connection_reuse = yes smtp_tls_connection_reuse = no
smtp_connection_cache_destinations = mx2.redhat.com,gmail.com,google.com,scrye.com smtp_connection_cache_destinations = mx2.redhat.com,gmail.com,google.com,scrye.com,redhat.com
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtp_tls_session_cache_timeout = 3600s smtp_tls_session_cache_timeout = 3600s
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
## End smtp_tls ## End smtp_tls
## General TLS ## General TLS
tls_random_source = dev:/dev/urandom tls_random_source = dev:/dev/urandom

1
roles/base/files/postfix/tls_policy.gateway Normal file
View file

@ -0,0 +1 @@
redhat.com may

15
roles/base/tasks/postfix.yml
View file

@ -30,6 +30,21 @@
- config - config
- base - base
- name: install /etc/postfix/tls_policy file
copy: src={{ item }} dest=/etc/postfix/tls_policy mode=0644
with_first_found:
- "postfix/master.cf/master.cf.{{ inventory_hostname }}"
- "postfix/master.cf/master.cf.{{ host_group }}"
- "postfix/master.cf/master.cf.{{ postfix_group }}"
- "postfix/master.cf/master.cf"
when: inventory_hostname.startswith(('bastion'))
notify:
- restart postfix
tags:
- postfix
- config
- base
- name: Deploy sender_access file - name: Deploy sender_access file
copy: src="{{private}}/files/smtpd/sender_access.{{postfix_group}}" dest="/etc/postfix/sender_access" copy: src="{{private}}/files/smtpd/sender_access.{{postfix_group}}" dest="/etc/postfix/sender_access"
when: postfix_group == "smtp-mm" or postfix_group == "mailman" or postfix_group == "gateway" when: postfix_group == "smtp-mm" or postfix_group == "mailman" or postfix_group == "gateway"