From 2e340af74a9634c8fc6561a05bc06c05cc6f8601 2020-05-19 19:58:36 From: Branko Majic Date: 2020-05-19 19:58:36 Subject: [PATCH] MAR-153: Updated role reference documentation and release notes: - Marks the change as breaking because it could mean older client/servers cannot interoperate with the Majic Ansible Roles TLS services any longer. --- diff --git a/docs/releasenotes.rst b/docs/releasenotes.rst index a53321062b262897f9aafe690c38bf21ddc0876e..937f89b7a8480ca631e6de0ad5b4dce47585ba5e 100644 --- a/docs/releasenotes.rst +++ b/docs/releasenotes.rst @@ -20,6 +20,30 @@ Breaking changes: * Support for Debian 8 Jessie has been dropped. +* ``mail_forwarder`` role + + * Use 2048-bit Diffie-Hellman parameters for relevant TLS + ciphers. This could introduce incompatibility with older + clients/servers trying to connect to the SMTP server. + +* ``mail_server`` role + + * Use 2048-bit Diffie-Hellman parameters for relevant TLS + ciphers. This could introduce incompatibility with older + clients/servers trying to connect to the SMTP/IMAP server. + +* ``web_server`` role + + * Use 2048-bit Diffie-Hellman parameters for relevant TLS + ciphers. This could introduce incompatibility with older clients + trying to connect to the web server. + +* ``xmpp_server`` role + + * Use 2048-bit Diffie-Hellman parameters for relevant TLS + ciphers. This could introduce incompatibility with older + clients/servers trying to connect to the XMPP server. + Bug fixes: * ``common`` role diff --git a/docs/rolereference.rst b/docs/rolereference.rst index 935dd195ac3e4c87808b19a6c131afcbc333e17e..195eeb0cf59128a3889d887ca2da0a858254adf3 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -851,6 +851,8 @@ Prosody is configured as follows: * Self-registration is not allowed. * TLS is configured. Legacy TLS is available on port 5223. * Client-to-server communication requires encryption (TLS). +* Uses 2048-bit Diffie-Hellman parameters for relevant TLS ciphers for + incoming connections. * Authentication is done via LDAP. For setting the LDAP TLS truststore, see :ref:`LDAP Client `. * Internal storage is used. @@ -1014,6 +1016,8 @@ Deployed services are configured as follows: * Mail is stored in directory ``/var/MAIL_USER/DOMAIN/USER``, using ``Maildir`` format. * TLS is required for user log-ins for both SMTP and IMAP. +* Uses 2048-bit Diffie-Hellman parameters for relevant TLS ciphers for + incoming connections. * For user submission (SMTP), users must connect and authenticate over TCP port 587. * Configures TLS versions and ciphers supported by Dovecot. @@ -1253,6 +1257,8 @@ Postfix is configured as follows: * TLS is enforced for relaying mails, with configurable truststore for server certificate verification if SMTP relay is used. If SMTP relay is not used (configured), no certificate verification is done. +* Uses 2048-bit Diffie-Hellman parameters for relevant TLS ciphers for + incoming connections. Role dependencies @@ -1338,6 +1344,8 @@ The role implements the following: index page. * Deploys the HTTPS TLS private key and certificate (for default vhost). * Configures TLS versions and ciphers supported by Nginx. +* Uses 2048-bit Diffie-Hellman parameters for relevant TLS ciphers for + incoming connections. * Configures firewall to allow incoming connections to the web server. * Installs and configures virtualenv and virtualenvwrapper as a common base for Python apps.