pagure: enable tls for smtp in prod too

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2022-06-13 18:07:22 -07:00 · 2022-06-13 18:07:22 -07:00 · c31c99a252
commit c31c99a252
parent 9953c1346f
1 changed files with 40 additions and 3 deletions
--- a/roles/base/files/postfix/main.cf/main.cf.vpn.pagure
+++ b/roles/base/files/postfix/main.cf/main.cf.vpn.pagure
@ -689,7 +689,44 @@ message_size_limit = 20971520
 non_smtpd_milters = unix:/var/run/pagure/paguresock
 smtpd_milters = unix:/var/run/pagure/paguresock

-# The following are needed for postfix-3
-smtpd_relay_restrictions = ${{$compatibility_level} < {1} ? {} :{permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}}
-compatibility_level = 2
+## TLS
+# enable opportunistic TLS support in the SMTP server
+smtpd_use_tls = yes
+smtpd_tls_auth_only = yes
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtpd_tls_mandatory_ciphers = high
+smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5, RC4
+smtpd_tls_loglevel = 1
+smtpd_tls_cert_file = /etc/pki/tls/certs/pagure.io.cert
+smtpd_tls_key_file = /etc/pki/tls/private/pagure.io.key
+smtpd_tls_CAfile  =   /etc/pki/tls/certs/ca-bundle.crt
+smtpd_tls_security_level = may
+smtpd_tls_connection_reuse = no
+smtpd_tls_received_header               = yes
+smtpd_tls_ask_ccert                     = yes
+smtpd_tls_received_header = yes
+smtpd_tls_eecdh_grade = ultra
+# smtpd TLS end
+# smtp TLS Client
+smtp_tls_fingerprint_digest=sha1
+smtp_tls_note_starttls_offer = yes
+smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
+smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
+smtp_tls_mandatory_ciphers = high
+smtp_tls_mandatory_exclude_ciphers= aNULL, MD5, RC4
+smtp_tls_loglevel = 1
+smtp_tls_cert_file = /etc/pki/tls/certs/pagure.io.cert
+smtp_tls_key_file = /etc/pki/tls/private/pagure.io.key
+smtp_tls_CAfile  = /etc/pki/tls/certs/ca-bundle.crt
+smtp_tls_security_level = may
+smtp_tls_connection_reuse = no
+## End smtp_tls
+## General TLS
+tls_random_source                       = dev:/dev/urandom
+tls_eecdh_strong_curve = prime256v1
+tls_eecdh_ultra_curve = secp384r1

+# smtpd_relay_restrictions are safer to use than smtpd_recipient_restrictions
+# as outlined http://www.postfix.org/SMTPD_ACCESS_README.html
+# At least one is required to receive email
+smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination