majic-ansible-roles Changeset

Changeset - 004a2ec1b5a9

Parent rev.

Child rev.

[Not reviewed]

0 7 0

Branko Majic (branko) - 2 months ago 2025-01-20 00:12:05
branko@majic.rs

MAR-230: Add support for TLSv1.3 to the mail_server role:

- Tests/support for older versions have already been dropped
previously.
- Document the specifics of TLSv1.3 cipher configuration.
- Update tests. The DH param test is now applicable only for the
mandatory parameter test servers.

7 files changed with 52 insertions and 32 deletions:

docs/releasenotes.rst

docs/rolereference.rst

roles/mail_server/defaults/main.yml

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

roles/mail_server/molecule/default/tests/test_default.py

roles/mail_server/molecule/default/tests/test_mandatory.py

roles/mail_server/molecule/default/tests/test_optional.py

0 comments (0 inline, 0 general) First comment

docs/releasenotes.rst

➞

Show inline comments

@@ @@ -22,6 +22,11 @@ Upgraded to Ansible 10.4.x. Dropped support for Debian 11 @@
   * The role no longer officially supports older versions of TLS
     (TLSv1.1 and lower).
 * ``mail_server`` role
   * The role no longer officially supports older versions of TLS
     (TLSv1.1 and lower).
 * ``web_server`` role
   * The role no longer officially supports older versions of TLS
@@ @@ -39,6 +44,11 @@ Upgraded to Ansible 10.4.x. Dropped support for Debian 11 @@
   * TLSv1.3 is now enabled by default (in addition to TLSv1.2),
     alongside the mandatory ciphers.
 * ``mail_server`` role
   * TLSv1.3 is now enabled by default (in addition to TLSv1.2),
     alongside the mandatory ciphers.
 * ``web_server`` role
   * TLSv1.3 is now enabled by default (in addition to TLSv1.2),

docs/rolereference.rst

➞

Show inline comments

@@ @@ -1169,19 +1169,27 @@ Parameters @@
 **mail_server_minimum_tls_protocol** (string, optional, ``"TLSv1.2"``)
   Minimum version of TLS protocol to allow when connecting to SMTP
   submission port or IMAP. Value should be compatible with Dovecot's
   ``ssl_protocols`` configuration option.
   ``ssl_protocols`` and ``smtpd_tls_mandatory_protocols``
   configuration options. Older versions of TLS protocol (TLSv1.1 and
   lower) are not fully supported by the role, and additional
   configuration is required on the server to weaken the OpenSSL
   security policies.
 **mail_server_smtp_additional_configuration** (string, optional, ``""``))
   Additional configuration directives to include in SMTP server main
   configuration file. Directives must be specifically compatible with
   Postfix, and are treated verbatim (multi-line string will suffice).
 **mail_server_tls_ciphers** (string, optional ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:!aNULL:!MD5:!EXPORT``)
   TLS ciphers to enable on the mail server (for IMAP and SMTP submission). This
   should be an OpenSSL-compatible cipher specification. Value should be
   compatible with Postfix configuration option ``tls_high_cipherlist`` and
   Dovecot configuration option ``ssl_cipher_list``. Default value allows only
   TLSv1.2 and strong PFS ciphers.
 **mail_server_tls_ciphers** (string, optional ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!aNULL:!MD5:!EXPORT``)
   TLS ciphers to enable on the mail server (for IMAP and SMTP
   submission). This should be an OpenSSL-compatible cipher
   specification. Value should be compatible with Postfix configuration
   option ``tls_high_cipherlist`` and Dovecot configuration option
   ``ssl_cipher_list``. Default value allows TLSv1.2 with strong PFS
   ciphers and RSA private keys. Ciphers listed for use with TLSv1.3
   (``TLS_*`` ones) are mandated by relevant standards, and cannot be
   disabled if TLSv1.3 is enabled. The TLSv1.3 ciphers are included in
   this list for completeness' sake.
 **mail_user** (string, optional, ``vmail``)
   Name of the user that owns all the mail files.

roles/mail_server/defaults/main.yml

➞

Show inline comments

@@ @@ -9,6 +9,9 @@ smtp_allow_relay_from: [] @@
 local_mail_aliases: {}
 imap_max_user_connections_per_ip: 10
 mail_server_minimum_tls_protocol: "TLSv1.2"
 # TLS_* ciphers are mandated by the TLSv1.3-related standards and
 # cannot be disabled when TLSv1.3 is enabled on the server.
 mail_server_tls_ciphers: "\
 DHE-RSA-AES128-GCM-SHA256:\
 DHE-RSA-AES256-GCM-SHA384:\
@@ @@ -16,6 +19,9 @@ DHE-RSA-CHACHA20-POLY1305:\ @@
 ECDHE-RSA-AES128-GCM-SHA256:\
 ECDHE-RSA-AES256-GCM-SHA384:\
 ECDHE-RSA-CHACHA20-POLY1305:\
 TLS_AES_128_GCM_SHA256:\
 TLS_AES_256_GCM_SHA384:\
 TLS_CHACHA20_POLY1305_SHA256:\
 !aNULL:!MD5:!EXPORT"
 mail_message_size_limit: 10240000
 mail_server_smtp_additional_configuration: ""

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

@@ @@ -5,10 +5,15 @@ mail_ldap_url: ldap://ldap-server/ @@
 mail_ldap_tls_truststore: "{{ lookup('file', 'tests/data/x509/ca/chain-full.cert.pem') }}"
 mail_ldap_postfix_password: postfixpassword
 mail_ldap_dovecot_password: dovecotpassword
 mail_server_minimum_tls_protocol: TLSv1.1
 mail_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:\
 DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:\
 ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:!aNULL:!MD5:!EXPORT"
 mail_server_minimum_tls_protocol: TLSv1.3
 mail_server_tls_ciphers: "\
 ECDHE-RSA-AES128-GCM-SHA256:\
 ECDHE-RSA-AES256-GCM-SHA384:\
 ECDHE-RSA-CHACHA20-POLY1305:\
 TLS_AES_128_GCM_SHA256:\
 TLS_AES_256_GCM_SHA384:\
 TLS_CHACHA20_POLY1305_SHA256:\
 !aNULL:!MD5:!EXPORT"
 mail_user: virtmail
 mail_user_uid: 5000
 mail_user_gid: 5000

roles/mail_server/molecule/default/tests/test_default.py

➞

Show inline comments

@@ @@ -442,17 +442,6 @@ def test_imap_server_dh_parameter_file(host): @@
         assert "DH Parameters: (2048 bit)" in dhparam_info.stdout
 def test_imap_server_uses_correct_dh_parameters(host):
     """
     Tests if the IMAP server uses correct Diffie-Hellman parameters.
     """
     connection = host.run("gnutls-cli --no-ca-verification --starttls-proto=imap --port 143 "
                           "--priority 'NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA384:+DHE-RSA:+SHA384:+AEAD:+AES-256-GCM' --verbose localhost")
     assert " - Using prime: 2048 bits" in connection.stdout
 def test_imap_and_smtp_tls_files(host):
     """
     Tests if IMAP and SMTP TLS private keys and certificates have been

roles/mail_server/molecule/default/tests/test_mandatory.py

➞

Show inline comments

     assert tls_ciphers == expected_tls_ciphers
 def test_imap_server_uses_correct_dh_parameters(host):
     """
     Tests if the IMAP server uses correct Diffie-Hellman parameters.
     """
     connection = host.run("gnutls-cli --no-ca-verification --starttls-proto=imap --port 143 "
                           "--priority 'NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA384:+DHE-RSA:+SHA384:+AEAD:+AES-256-GCM' --verbose localhost")
     assert " - Using prime: 2048 bits" in connection.stdout
 def test_dovecot_postmaster(host):
     """
     Tests if Dovecot postmaster has been correctly configured.

roles/mail_server/molecule/default/tests/test_optional.py

➞

Show inline comments

     IMAP and SMTP submission.
     """
-    expected_tls_versions = ["TLSv1.1", "TLSv1.2", "TLSv1.3"]
     expected_tls_versions = ["TLSv1.3"]
     expected_tls_ciphers = [
         "TLS_AKE_WITH_AES_128_GCM_SHA256",
         "TLS_AKE_WITH_AES_256_GCM_SHA384",
         "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+    ]
     # Run the nmap scanner against the server, and fetch the results.

0 comments (0 inline, 0 general) First comment