From a822861bea4e9ae84d26825a93d119f2de05fc5c 2024-08-30 15:00:34 From: Branko Majic Date: 2024-08-30 15:00:34 Subject: [PATCH] MAR-239: Dropped support for Debian 11 Bullseye from the mail_server role. --- diff --git a/roles/mail_server/molecule/default/group_vars/parameters-optional.yml b/roles/mail_server/molecule/default/group_vars/parameters-optional.yml index 8453b04069f82b09cb18fdb21f8fad323d51f125..f40a2b3898ef0206578b8dcac4dd1cbafd3d4707 100644 --- a/roles/mail_server/molecule/default/group_vars/parameters-optional.yml +++ b/roles/mail_server/molecule/default/group_vars/parameters-optional.yml @@ -34,7 +34,6 @@ mail_server_smtp_additional_configuration: | # Variables dependant on distribution release. release_based_smtp_allow_relay_from: - bullseye: "192.168.56.41" bookworm: "192.168.56.21" # common diff --git a/roles/mail_server/molecule/default/host_vars/ldap-server.yml b/roles/mail_server/molecule/default/host_vars/ldap-server.yml index 9b8ed2cf29c69a47f379949880bb526be0be1221..24d4655dff825aff4b901f7ec44c62c2be9a2671 100644 --- a/roles/mail_server/molecule/default/host_vars/ldap-server.yml +++ b/roles/mail_server/molecule/default/host_vars/ldap-server.yml @@ -43,10 +43,6 @@ backup_host_ssh_private_keys: ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}" backup_clients: - - server: param-optional-bullseye - ip: 192.168.56.52 - public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}" - - server: param-optional-bookworm ip: 192.168.56.32 public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}" diff --git a/roles/mail_server/molecule/default/molecule.yml b/roles/mail_server/molecule/default/molecule.yml index 6fb4c3697c5f99cf4384800e694e5b552a36f9a5..219f7a132cfc9bb3fb6146121bc09d479c56d313 100644 --- a/roles/mail_server/molecule/default/molecule.yml +++ b/roles/mail_server/molecule/default/molecule.yml @@ -50,74 +50,6 @@ platforms: type: static - # Debian 11 Bullseye - # ================ - - - name: client1-bullseye - groups: - - client - - client-relay-allowed - - bullseye - - smtp-server-requiring-tls - box: debian/bullseye64 - memory: 256 - cpus: 1 - provider_raw_config_args: - - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']" - interfaces: - - auto_config: true - ip: 192.168.56.41 - network_name: private_network - type: static - - - name: client2-bullseye - groups: - - client - - client-relay-forbidden - - bullseye - - smtp-server-refusing-tls - box: debian/bullseye64 - memory: 256 - cpus: 1 - provider_raw_config_args: - - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']" - interfaces: - - auto_config: true - ip: 192.168.56.42 - network_name: private_network - type: static - - - name: parameters-mandatory-bullseye - groups: - - parameters-mandatory - - bullseye - box: debian/bullseye64 - memory: 2048 - cpus: 1 - provider_raw_config_args: - - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']" - interfaces: - - auto_config: true - ip: 192.168.56.51 - network_name: private_network - type: static - - - name: parameters-optional-bullseye - groups: - - parameters-optional - - bullseye - box: debian/bullseye64 - memory: 2048 - cpus: 1 - provider_raw_config_args: - - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']" - interfaces: - - auto_config: true - ip: 192.168.56.52 - network_name: private_network - type: static - - # Debian 11 Bookworm # ================== diff --git a/roles/mail_server/molecule/default/prepare.yml b/roles/mail_server/molecule/default/prepare.yml index ef47bf6dae35eb45fcf6e05fb1e3ce0236c61c2c..5d424899213f12d9da906fd2ea7f50d8f8b721a2 100644 --- a/roles/mail_server/molecule/default/prepare.yml +++ b/roles/mail_server/molecule/default/prepare.yml @@ -29,15 +29,6 @@ - name: ldap-server_ldap fqdn: ldap-server - - name: parameters-mandatory-bullseye_imap - fqdn: parameters-mandatory-bullseye - - name: parameters-mandatory-bullseye_smtp - fqdn: parameters-mandatory-bullseye - - name: parameters-optional-bullseye_imap - fqdn: parameters-optional-bullseye - - name: parameters-optional-bullseye_smtp - fqdn: parameters-optional-bullseye - - name: parameters-mandatory-bookworm_imap fqdn: parameters-mandatory-bookworm - name: parameters-mandatory-bookworm_smtp @@ -182,28 +173,6 @@ name: nginx state: restarted -- hosts: bullseye - become: true - tasks: - - - name: Set-up the hosts file - lineinfile: - path: /etc/hosts - regexp: "^{{ item.key }}" - line: "{{ item.key }} {{ item.value }}" - owner: root - group: root - mode: 0644 - state: present - with_dict: - # Force mail servers to use local ClamAV database mirror. - 192.168.56.11: "db.local.clamav.net database.clamav.net" - 192.168.56.12: "ldap-server backup-server" - 192.168.56.41: "client1 smtp-server-requiring-tls" - 192.168.56.42: "client2 smtp-server-refusing-tls" - 192.168.56.51: "parameters-mandatory parameters-mandatory-bullseye" - 192.168.56.52: "parameters-optional parameters-optional-bullseye" - - hosts: bookworm become: true tasks: diff --git a/roles/mail_server/molecule/default/tests/test_default.py b/roles/mail_server/molecule/default/tests/test_default.py index 768f1a18edab2efc2e4162726f235ac09d63688e..feee441b137226907dc6f61f16dc70cb3f16b20d 100644 --- a/roles/mail_server/molecule/default/tests/test_default.py +++ b/roles/mail_server/molecule/default/tests/test_default.py @@ -632,134 +632,68 @@ def test_smtp_default_port_tls_version_and_ciphers(host): restrictive for interoperability purposes). """ - distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"] - - if distribution_release == "bullseye": - expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"] - expected_tls_ciphers = [ - 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA', - 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256', - 'TLS_DHE_RSA_WITH_AES_128_CCM', - 'TLS_DHE_RSA_WITH_AES_128_CCM_8', - 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256', - 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA', - 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256', - 'TLS_DHE_RSA_WITH_AES_256_CCM', - 'TLS_DHE_RSA_WITH_AES_256_CCM_8', - 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384', - 'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256', - 'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384', - 'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA', - 'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256', - 'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA', - 'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256', - 'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256', - 'TLS_DHE_RSA_WITH_SEED_CBC_SHA', - 'TLS_DH_anon_WITH_AES_128_CBC_SHA', - 'TLS_DH_anon_WITH_AES_128_CBC_SHA256', - 'TLS_DH_anon_WITH_AES_128_GCM_SHA256', - 'TLS_DH_anon_WITH_AES_256_CBC_SHA', - 'TLS_DH_anon_WITH_AES_256_CBC_SHA256', - 'TLS_DH_anon_WITH_AES_256_GCM_SHA384', - 'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA', - 'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256', - 'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA', - 'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256', - 'TLS_DH_anon_WITH_SEED_CBC_SHA', - 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', - 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', - 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', - 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', - 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', - 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', - 'TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256', - 'TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384', - 'TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256', - 'TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384', - 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', - 'TLS_ECDH_anon_WITH_AES_128_CBC_SHA', - 'TLS_ECDH_anon_WITH_AES_256_CBC_SHA', - 'TLS_RSA_WITH_AES_128_CBC_SHA', - 'TLS_RSA_WITH_AES_128_CBC_SHA256', - 'TLS_RSA_WITH_AES_128_CCM', - 'TLS_RSA_WITH_AES_128_CCM_8', - 'TLS_RSA_WITH_AES_128_GCM_SHA256', - 'TLS_RSA_WITH_AES_256_CBC_SHA', - 'TLS_RSA_WITH_AES_256_CBC_SHA256', - 'TLS_RSA_WITH_AES_256_CCM', - 'TLS_RSA_WITH_AES_256_CCM_8', - 'TLS_RSA_WITH_AES_256_GCM_SHA384', - 'TLS_RSA_WITH_ARIA_128_GCM_SHA256', - 'TLS_RSA_WITH_ARIA_256_GCM_SHA384', - 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA', - 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256', - 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA', - 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256', - 'TLS_RSA_WITH_SEED_CBC_SHA', - ] - else: - expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"] - expected_tls_ciphers = [ - 'TLS_AKE_WITH_AES_128_GCM_SHA256', - 'TLS_AKE_WITH_AES_256_GCM_SHA384', - 'TLS_AKE_WITH_CHACHA20_POLY1305_SHA256', - 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA', - 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256', - 'TLS_DHE_RSA_WITH_AES_128_CCM', - 'TLS_DHE_RSA_WITH_AES_128_CCM_8', - 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256', - 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA', - 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256', - 'TLS_DHE_RSA_WITH_AES_256_CCM', - 'TLS_DHE_RSA_WITH_AES_256_CCM_8', - 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384', - 'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256', - 'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384', - 'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA', - 'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256', - 'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA', - 'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256', - 'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256', - 'TLS_DH_anon_WITH_AES_128_CBC_SHA', - 'TLS_DH_anon_WITH_AES_128_CBC_SHA256', - 'TLS_DH_anon_WITH_AES_128_GCM_SHA256', - 'TLS_DH_anon_WITH_AES_256_CBC_SHA', - 'TLS_DH_anon_WITH_AES_256_CBC_SHA256', - 'TLS_DH_anon_WITH_AES_256_GCM_SHA384', - 'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA', - 'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256', - 'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA', - 'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256', - 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', - 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', - 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', - 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', - 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', - 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', - 'TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256', - 'TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384', - 'TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256', - 'TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384', - 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', - 'TLS_ECDH_anon_WITH_AES_128_CBC_SHA', - 'TLS_ECDH_anon_WITH_AES_256_CBC_SHA', - 'TLS_RSA_WITH_AES_128_CBC_SHA', - 'TLS_RSA_WITH_AES_128_CBC_SHA256', - 'TLS_RSA_WITH_AES_128_CCM', - 'TLS_RSA_WITH_AES_128_CCM_8', - 'TLS_RSA_WITH_AES_128_GCM_SHA256', - 'TLS_RSA_WITH_AES_256_CBC_SHA', - 'TLS_RSA_WITH_AES_256_CBC_SHA256', - 'TLS_RSA_WITH_AES_256_CCM', - 'TLS_RSA_WITH_AES_256_CCM_8', - 'TLS_RSA_WITH_AES_256_GCM_SHA384', - 'TLS_RSA_WITH_ARIA_128_GCM_SHA256', - 'TLS_RSA_WITH_ARIA_256_GCM_SHA384', - 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA', - 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256', - 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA', - 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256', - ] + expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"] + expected_tls_ciphers = [ + 'TLS_AKE_WITH_AES_128_GCM_SHA256', + 'TLS_AKE_WITH_AES_256_GCM_SHA384', + 'TLS_AKE_WITH_CHACHA20_POLY1305_SHA256', + 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA', + 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256', + 'TLS_DHE_RSA_WITH_AES_128_CCM', + 'TLS_DHE_RSA_WITH_AES_128_CCM_8', + 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256', + 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA', + 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256', + 'TLS_DHE_RSA_WITH_AES_256_CCM', + 'TLS_DHE_RSA_WITH_AES_256_CCM_8', + 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384', + 'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256', + 'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384', + 'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA', + 'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256', + 'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA', + 'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256', + 'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256', + 'TLS_DH_anon_WITH_AES_128_CBC_SHA', + 'TLS_DH_anon_WITH_AES_128_CBC_SHA256', + 'TLS_DH_anon_WITH_AES_128_GCM_SHA256', + 'TLS_DH_anon_WITH_AES_256_CBC_SHA', + 'TLS_DH_anon_WITH_AES_256_CBC_SHA256', + 'TLS_DH_anon_WITH_AES_256_GCM_SHA384', + 'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA', + 'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256', + 'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA', + 'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256', + 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', + 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', + 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', + 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', + 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', + 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', + 'TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256', + 'TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384', + 'TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256', + 'TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384', + 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', + 'TLS_ECDH_anon_WITH_AES_128_CBC_SHA', + 'TLS_ECDH_anon_WITH_AES_256_CBC_SHA', + 'TLS_RSA_WITH_AES_128_CBC_SHA', + 'TLS_RSA_WITH_AES_128_CBC_SHA256', + 'TLS_RSA_WITH_AES_128_CCM', + 'TLS_RSA_WITH_AES_128_CCM_8', + 'TLS_RSA_WITH_AES_128_GCM_SHA256', + 'TLS_RSA_WITH_AES_256_CBC_SHA', + 'TLS_RSA_WITH_AES_256_CBC_SHA256', + 'TLS_RSA_WITH_AES_256_CCM', + 'TLS_RSA_WITH_AES_256_CCM_8', + 'TLS_RSA_WITH_AES_256_GCM_SHA384', + 'TLS_RSA_WITH_ARIA_128_GCM_SHA256', + 'TLS_RSA_WITH_ARIA_256_GCM_SHA384', + 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA', + 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256', + 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA', + 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256', + ] # Run the nmap scanner against the server, and fetch the results. nmap = host.run("nmap -sV --script ssl-enum-ciphers -p 25 localhost -oX /tmp/report.xml") diff --git a/roles/mail_server/molecule/default/tests/test_mandatory.py b/roles/mail_server/molecule/default/tests/test_mandatory.py index 483d3a33af05b74b19da6852627b2f7465e29800..d17a300242066114f492ea72ca696d1563440153 100644 --- a/roles/mail_server/molecule/default/tests/test_mandatory.py +++ b/roles/mail_server/molecule/default/tests/test_mandatory.py @@ -98,32 +98,18 @@ def test_imap_and_smtp_submission_tls_version_and_ciphers(host, port): IMAP and SMTP submission. """ - distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"] - - if distribution_release == "bullseye": - expected_tls_versions = ["TLSv1.2"] - expected_tls_ciphers = [ - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - ] - - else: - expected_tls_versions = ["TLSv1.2", "TLSv1.3"] - expected_tls_ciphers = [ - "TLS_AKE_WITH_AES_128_GCM_SHA256", - "TLS_AKE_WITH_AES_256_GCM_SHA384", - "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - ] + expected_tls_versions = ["TLSv1.2", "TLSv1.3"] + expected_tls_ciphers = [ + "TLS_AKE_WITH_AES_128_GCM_SHA256", + "TLS_AKE_WITH_AES_256_GCM_SHA384", + "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256", + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + ] # Run the nmap scanner against the server, and fetch the results. nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s localhost -oX /tmp/report.xml", str(port)) diff --git a/roles/mail_server/molecule/default/tests/test_optional.py b/roles/mail_server/molecule/default/tests/test_optional.py index 732c7f93d8e3d14e4f1a9ded2e8d1a1d2652f235..8f7aefba2b32b15ea5deee6317cfc064bf97e20c 100644 --- a/roles/mail_server/molecule/default/tests/test_optional.py +++ b/roles/mail_server/molecule/default/tests/test_optional.py @@ -123,37 +123,21 @@ def test_imap_and_smtp_submission_tls_version_and_ciphers(host, port): IMAP and SMTP submission. """ - distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"] - - if distribution_release == "bullseye": - expected_tls_versions = ["TLSv1.1", "TLSv1.2"] - expected_tls_ciphers = [ - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - ] - else: - expected_tls_versions = ["TLSv1.1", "TLSv1.2", "TLSv1.3"] - expected_tls_ciphers = [ - "TLS_AKE_WITH_AES_128_GCM_SHA256", - "TLS_AKE_WITH_AES_256_GCM_SHA384", - "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - ] + expected_tls_versions = ["TLSv1.1", "TLSv1.2", "TLSv1.3"] + expected_tls_ciphers = [ + "TLS_AKE_WITH_AES_128_GCM_SHA256", + "TLS_AKE_WITH_AES_256_GCM_SHA384", + "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + ] # Run the nmap scanner against the server, and fetch the results. nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s localhost -oX /tmp/report.xml", str(port)) diff --git a/roles/mail_server/templates/main.cf.j2 b/roles/mail_server/templates/main.cf.j2 index af436cf335f845434d05b532faedb0be6b66f55b..ca4d07cb3e730101baa5f231602797f37be6c837 100644 --- a/roles/mail_server/templates/main.cf.j2 +++ b/roles/mail_server/templates/main.cf.j2 @@ -36,11 +36,9 @@ message_size_limit = {{ mail_message_size_limit }} # Disable output of Postfix README file paths when invoking postconf. readme_directory = no -{% if ansible_distribution_release != 'bullseye' %} # Use whitelist/blacklist instead of allowlist/denylist in log # entries. respectful_logging = no -{% endif %} # Compatibility level for default values. For more details, see: # https://www.postfix.org/COMPATIBILITY_README.html