From 9a8b57efd41a6cbf269c004b5cf83a6d5d3e17df Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa Date: Tue, 7 Dec 2021 22:26:12 -0800 Subject: [PATCH] email_server: Adjust TLS configuration parameters - Don't add TLS debugging information to Received: header. - Drop unused fingerprint digest configuration. They are only used when smtpd_tls_security_level is set to 'fingerprint' in which case certifying authorities are ignored. - Drop alterations to TLS low/high cipher lists. They are not used since tls_ciphers are all set to 'medium'. Tests: - No configuration errors are reported by postfix in its logs after startup. - 'postconf' shows that the new configuration parameters are set properly. Signed-off-by: Sunil Mohan Adapa Reviewed-by: James Valleroy --- plinth/modules/email_server/audit/tls.py | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/plinth/modules/email_server/audit/tls.py b/plinth/modules/email_server/audit/tls.py index 669782d0c..93e891d03 100644 --- a/plinth/modules/email_server/audit/tls.py +++ b/plinth/modules/email_server/audit/tls.py @@ -14,23 +14,15 @@ _tls_medium_cipherlist = [ ] _postfix_config = { - # Enable TLS - 'smtpd_tls_security_level': 'may', - # Allow unencrypted auth on port 25, needed by Roundcube 'smtpd_tls_auth_only': 'no', - # Debugging information - 'smtpd_tls_received_header': 'yes', - - # Use a strong hashing algorithm - 'smtp_tls_fingerprint_digest': 'sha256', - 'smtpd_tls_fingerprint_digest': 'sha256', - # Mozilla Intermediate Configuration + 'smtpd_tls_security_level': 'may', 'smtpd_tls_mandatory_protocols': '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1', 'smtpd_tls_protocols': '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1', 'smtpd_tls_mandatory_ciphers': 'medium', + 'smtpd_tls_ciphers': 'medium', 'tls_medium_cipherlist': ':'.join(_tls_medium_cipherlist), 'tls_preempt_cipherlist': 'no', @@ -38,15 +30,12 @@ _postfix_config = { 'smtp_tls_mandatory_protocols': '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1', 'smtp_tls_protocols': '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1', 'smtp_tls_mandatory_ciphers': 'medium', + 'smtp_tls_ciphers': 'medium', # Use DNSSEC to validate TLS certificates 'smtp_host_lookup': 'dns', 'smtp_dns_support_level': 'dnssec', 'smtp_tls_security_level': 'dane', # Opportunistic DANE TLS - - # Maintain 1 cipherlist and keep it the most secure - 'tls_low_cipherlist': '$tls_medium_cipherlist', - 'tls_high_cipherlist': '$tls_medium_cipherlist', }