postfix: gateway: consolidate tls settings and use chain-file.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi
parent
a336ba2a9e
commit
a3c96c4032
1 changed files with 3 additions and 37 deletions
|
|
@ -714,39 +714,6 @@ sample_directory = /usr/share/doc/postfix/samples
|
|||
#
|
||||
readme_directory = /usr/share/doc/postfix/README_FILES
|
||||
|
||||
# TLS CONFIGURATION
|
||||
#
|
||||
# Basic Postfix TLS configuration by default with self-signed certificate
|
||||
# for inbound SMTP and also opportunistic TLS for outbound SMTP.
|
||||
|
||||
# The full pathname of a file with the Postfix SMTP server RSA certificate
|
||||
# in PEM format. Intermediate certificates should be included in general,
|
||||
# the server certificate first, then the issuing CA(s) (bottom-up order).
|
||||
#
|
||||
smtpd_tls_cert_file = /etc/pki/tls/certs/gateway.crt
|
||||
|
||||
# The full pathname of a file with the Postfix SMTP server RSA private key
|
||||
# in PEM format. The private key must be accessible without a pass-phrase,
|
||||
# i.e. it must not be encrypted.
|
||||
#
|
||||
smtpd_tls_key_file = /etc/pki/tls/private/gateway.key
|
||||
|
||||
# Announce STARTTLS support to remote SMTP clients, but do not require that
|
||||
# clients use TLS encryption (opportunistic TLS inbound).
|
||||
#
|
||||
smtpd_tls_security_level = may
|
||||
|
||||
# Directory with PEM format Certification Authority certificates that the
|
||||
# Postfix SMTP client uses to verify a remote SMTP server certificate.
|
||||
#
|
||||
smtp_tls_CApath = /etc/pki/tls/certs
|
||||
|
||||
# The full pathname of a file containing CA certificates of root CAs
|
||||
# trusted to sign either remote SMTP server certificates or intermediate CA
|
||||
# certificates.
|
||||
#
|
||||
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
|
||||
|
||||
## TLS
|
||||
# enable opportunistic TLS support in the SMTP server
|
||||
smtpd_use_tls = yes
|
||||
|
|
@ -755,12 +722,13 @@ smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
|
|||
smtpd_tls_mandatory_ciphers = high
|
||||
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5, RC4
|
||||
smtpd_tls_loglevel = 1
|
||||
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
|
||||
smtpd_tls_chain_files = /etc/pki/tls/private/gateway-chain.pem
|
||||
smtpd_tls_session_cache_timeout = 3600s
|
||||
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
|
||||
smtpd_tls_received_header = yes
|
||||
smtpd_tls_ask_ccert = yes
|
||||
smtpd_tls_received_header = yes
|
||||
smtpd_tls_security_level = may
|
||||
smtpd_tls_eecdh_grade = ultra
|
||||
# smtpd TLS end
|
||||
# smtp TLS Client
|
||||
|
|
@ -771,9 +739,7 @@ smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
|
|||
smtp_tls_mandatory_ciphers = high
|
||||
smtp_tls_mandatory_exclude_ciphers= aNULL, MD5, RC4
|
||||
smtp_tls_loglevel = 1
|
||||
smtp_tls_cert_file = /etc/pki/tls/certs/gateway.crt
|
||||
smtp_tls_key_file = /etc/pki/tls/private/gateway.key
|
||||
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
|
||||
smtp_tls_chain_files = /etc/pki/tls/private/gateway-chain.pem
|
||||
smtp_tls_security_level = may
|
||||
smtp_tls_connection_reuse = no
|
||||
smtp_connection_cache_destinations = mx2.redhat.com,gmail.com,google.com,scrye.com,redhat.com
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue