nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-05-20 10:34:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

email_server: Adjust TLS configuration parameters

Browse Source 
- Don't add TLS debugging information to Received: header.

- Drop unused fingerprint digest configuration. They are only used when
smtpd_tls_security_level is set to 'fingerprint' in which case certifying
authorities are ignored.

- Drop alterations to TLS low/high cipher lists. They are not used since
tls_ciphers are all set to 'medium'.

Tests:

- No configuration errors are reported by postfix in its logs after startup.

- 'postconf' shows that the new configuration parameters are set properly.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This commit is contained in:
Sunil Mohan Adapa 2021-12-07 22:26:12 -08:00 committed by James Valleroy
parent e43e144040
commit 9a8b57efd4
No known key found for this signature in database
GPG Key ID: 77C0C75E7B650808
1 changed files with 3 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
plinth/modules/email_server/audit/tls.py
View File

@ -14,23 +14,15 @@ _tls_medium_cipherlist = [
] ]
_postfix_config = { _postfix_config = {
# Enable TLS
'smtpd_tls_security_level': 'may',
# Allow unencrypted auth on port 25, needed by Roundcube # Allow unencrypted auth on port 25, needed by Roundcube
'smtpd_tls_auth_only': 'no', 'smtpd_tls_auth_only': 'no',
# Debugging information
'smtpd_tls_received_header': 'yes',
# Use a strong hashing algorithm
'smtp_tls_fingerprint_digest': 'sha256',
'smtpd_tls_fingerprint_digest': 'sha256',
# Mozilla Intermediate Configuration # Mozilla Intermediate Configuration
'smtpd_tls_security_level': 'may',
'smtpd_tls_mandatory_protocols': '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1', 'smtpd_tls_mandatory_protocols': '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1',
'smtpd_tls_protocols': '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1', 'smtpd_tls_protocols': '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1',
'smtpd_tls_mandatory_ciphers': 'medium', 'smtpd_tls_mandatory_ciphers': 'medium',
'smtpd_tls_ciphers': 'medium',
'tls_medium_cipherlist': ':'.join(_tls_medium_cipherlist), 'tls_medium_cipherlist': ':'.join(_tls_medium_cipherlist),
'tls_preempt_cipherlist': 'no', 'tls_preempt_cipherlist': 'no',
@ -38,15 +30,12 @@ _postfix_config = {
'smtp_tls_mandatory_protocols': '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1', 'smtp_tls_mandatory_protocols': '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1',
'smtp_tls_protocols': '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1', 'smtp_tls_protocols': '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1',
'smtp_tls_mandatory_ciphers': 'medium', 'smtp_tls_mandatory_ciphers': 'medium',
'smtp_tls_ciphers': 'medium',
# Use DNSSEC to validate TLS certificates # Use DNSSEC to validate TLS certificates
'smtp_host_lookup': 'dns', 'smtp_host_lookup': 'dns',
'smtp_dns_support_level': 'dnssec', 'smtp_dns_support_level': 'dnssec',
'smtp_tls_security_level': 'dane', # Opportunistic DANE TLS 'smtp_tls_security_level': 'dane', # Opportunistic DANE TLS
# Maintain 1 cipherlist and keep it the most secure
'tls_low_cipherlist': '$tls_medium_cipherlist',
'tls_high_cipherlist': '$tls_medium_cipherlist',
} }