try this patch set on for size to get tls working with smtp

2016-09-27 01:10:46 +00:00 · 2016-09-27 01:10:46 +00:00 · d2764137e5
commit d2764137e5
parent 9cd58bad25
2 changed files with 68 additions and 0 deletions
--- a/roles/base/files/postfix/main.cf/main.cf.gateway
+++ b/roles/base/files/postfix/main.cf/main.cf.gateway
@ -703,3 +703,42 @@ local_header_rewrite_clients = static:all


 message_size_limit = 20971520
+
+
+## TLS
+# enable opportunistic TLS support in the SMTP server
+smtpd_use_tls = yes
+smtpd_tls_security_level = may
+smtpd_tls_auth_only = yes
+smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
+smtpd_tls_mandatory_ciphers = high
+smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5, RC4
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+tls_ssl_options = no_ticket, no_compression
+
+smtpd_tls_loglevel = 1
+smtpd_tls_cert_file = /etc/pki/tls/certs/bastion.fedoraproject.org.csr
+smtpd_tls_key_file = /etc/pki/tls/private/bastion.fedoraproject.org.key
+smtpd_tls_CAfile  = /etc/pki/tls/certs/ca-bundle.crt
+smtpd_tls_session_cache_timeout = 3600s
+smtpd_tls_session_cache_database        = btree:${queue_directory}/smtpd_scache
+smtpd_tls_received_header               = yes
+smtpd_tls_ask_ccert                     = yes
+smtpd_tls_received_header = yes
+tls_random_source                       = dev:/dev/urandom
+smtpd_tls_eecdh_grade = ultra
+tls_eecdh_strong_curve = prime256v1
+tls_eecdh_ultra_curve = secp384r1
+# TLS end
+#TLS Client
+smtp_tls_fingerprint_digest=sha1
+smtp_tls_note_starttls_offer = yes
+smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
+smtp_tls_security_level = may
+smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
+smtp_tls_mandatory_ciphers = high
+smtp_tls_mandatory_exclude_ciphers= aNULL, MD5, RC4
+smtp_tls_loglevel = 1
+smtp_tls_cert_file = /etc/pki/tls/certs/bastion.fedoraproject.org.csr
+smtp_tls_key_file = /etc/pki/tls/private/bastion.fedoraproject.org.key
+smtp_tls_CAfile  = /etc/pki/tls/certs/ca-bundle.crt
--- a/roles/base/tasks/postfix.yml
+++ b/roles/base/tasks/postfix.yml
@ -48,3 +48,32 @@
  - config


+- name: install /etc/pki/tls/certs/{{name}}.csr
+  copy: >
+    src={{item}}
+    dest=/etc/pki/tls/certs/{{item | basename}}
+    owner=root
+    group=root
+    mode=0644
+  with_first_found:
+  - "{{private}}/files/httpd/{{cert}}.cert"
+  - "{{private}}/files/httpd/{{name}}.cert"
+  notify:
+  - restart postfix
+  tags:
+  - postfix
+
+- name: Copy {{name}}.key
+  copy: >
+    src={{item}}
+    dest=/etc/pki/tls/private/{{item | basename}}
+    owner=root
+    group=root
+    mode=0600
+  with_first_found:
+  - "{{private}}/files/httpd/{{key}}.key"
+  - "{{private}}/files/httpd/{{name}}.key"
+  notify:
+  - restart postfix
+  tags:
+  - postfix