Changeset - 093382189478
Parent rev.
Child rev.
[Not reviewed]
0 2 0
Branko Majic (branko) - 11 months ago 2025-01-08 18:07:07
branko@majic.rs
MAR-227: Drop the workaround for older Postfix TLS protocol configuration syntax:

- Since the roles have dropped support for older versions of
Debian/Postfix, no need to use the backwards compatible syntax any
longer.
2 files changed with 1 insertions and 14 deletions:
roles/mail_server/defaults/main.yml
13
roles/mail_server/templates/master.cf.j2
1
1
0 comments (0 inline, 0 general)
roles/mail_server/defaults/main.yml
Show inline comments
 
@@ -10,25 +10,12 @@ local_mail_aliases: {}
 
imap_max_user_connections_per_ip: 10
 
mail_server_minimum_tls_protocol: "TLSv1.2"
 
mail_server_tls_ciphers: "\
 
DHE-RSA-AES128-GCM-SHA256:\
 
DHE-RSA-AES256-GCM-SHA384:\
 
DHE-RSA-CHACHA20-POLY1305:\
 
ECDHE-RSA-AES128-GCM-SHA256:\
 
ECDHE-RSA-AES256-GCM-SHA384:\
 
ECDHE-RSA-CHACHA20-POLY1305:\
 
!aNULL:!MD5:!EXPORT"
 
mail_message_size_limit: 10240000
 
mail_server_smtp_additional_configuration: ""
 

			




	
	
	
		
 
# Internal use only.

			




	
	
	
		
 

			




	
	
	
		
 
# Map Postfix smtpd allowed protocols based on minimum protocol

			




	
	
	
		
 
# specified (for use with submission port smtpd instance). A bit

			




	
	
	
		
 
# repetative, but easy to understand.

			




	
	
	
		
 
mail_server_smtpd_submission_protocols:

			




	
	
	
		
 
  SSLv2: ["SSLv2", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"]

			




	
	
	
		
 
  SSLv3: ["SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"]

			




	
	
	
		
 
  TLSv1: ["TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"]

			




	
	
	
		
 
  TLSv1.1: ["TLSv1.1", "TLSv1.2", "TLSv1.3"]

			




	
	
	
		
 
  TLSv1.2: ["TLSv1.2", "TLSv1.3"]

			




	
	
	
		
 
  TLSv1.3: ["TLSv1.3"]

			




        

    


    
    

    

        

                

                    roles/mail_server/templates/master.cf.j2
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -143,15 +143,15 @@ dovecot   unix  -       n       n       -       -       pipe

			




	
	
	
		
 
# Submission port with hardened TLS configuration.

			




	
	
	
		
 
submission inet n       -       y       -       -       smtpd

			




	
	
	
		
 
  -o syslog_name=postfix/submission

			




	
	
	
		
 
  -o smtpd_tls_security_level=encrypt

			




	
	
	
		
 
  -o smtpd_sasl_auth_enable=yes

			




	
	
	
		
 
  -o smtpd_tls_auth_only=yes

			




	
	
	
		
 
  -o smtpd_reject_unlisted_recipient=no

			




	
	
	
		
 
  -o smtpd_client_restrictions=

			




	
	
	
		
 
  -o smtpd_helo_restrictions=

			




	
	
	
		
 
  -o smtpd_relay_restrictions=

			




	
	
	
		
 
  -o smtpd_sender_restrictions=reject_sender_login_mismatch,permit_sasl_authenticated,reject

			




	
	
	
		
 
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

			




	
	
	
		
 
  -o smtpd_tls_mandatory_protocols={{ mail_server_smtpd_submission_protocols[mail_server_minimum_tls_protocol] | join(',') }}

			




	
	
	
		
 
  -o smtpd_tls_mandatory_protocols=>={{ mail_server_minimum_tls_protocol }}

			




	
	
	
		
 
  -o smtpd_tls_mandatory_ciphers=high

			




	
	
	
		
 
  -o tls_high_cipherlist={{ mail_server_tls_ciphers }}

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.