majic-ansible-roles Changeset

Changeset - 24120c68c6b4

Parent rev.

Child rev.

[Not reviewed]

0 8 0

Branko Majic (branko) - 8 months ago 2024-02-18 20:37:53
branko@majic.rs

MAR-196: Simplify allowed TLS protocol configuration for mail_server role:

- Accept minimum version allowed instead of arbitrary list.
- Fixes deprecation warnings in Dovecot logs (ssl_protocols ->
ssl_min_protocol transition).

8 files changed with 44 insertions and 16 deletions:

docs/releasenotes.rst

docs/rolereference.rst

roles/mail_server/defaults/main.yml

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

roles/mail_server/molecule/default/tests/test_default.py

roles/mail_server/templates/99-local.conf.j2

roles/mail_server/templates/master.cf.j2

testsite/group_vars/mail.yml

0 comments (0 inline, 0 general)

docs/releasenotes.rst

➞

Show inline comments

@@ @@ -42,6 +42,13 @@ Dropped support for Debian 10 (Buster). @@
     parameter expects a list of IPv4 and IPv6 addresses (or
     subnets). Resolvable names can no longer be specified.
 * ``mail_server`` role
   * Parameter ``mail_server_tls_protocols`` has been dropped and
     replaced with parameter ``mail_server_minimum_tls_protocol``. Full
     list of TLS protocols can no longer be specified, only the minimum
     one.
 * ``wsgi_website`` role
   * Dropped support for Python 2.7. Only Python 3 is supported now.

docs/rolereference.rst

➞

Show inline comments

@@ @@ -1165,17 +1165,16 @@ Parameters @@
   advertised as part of SMTP server capabilities (in response to the
   ``ehlo`` SMTP command).
 **mail_server_minimum_tls_protocol** (string, optional, ``"TLSv1.2"``)
   Minimum version of TLS protocol to allow when connecting to SMTP
   submission port or IMAP. Value should be compatible with Dovecot's
   ``ssl_protocols`` configuration option.
 **mail_server_smtp_additional_configuration** (string, optional, ``""``))
   Additional configuration directives to include in SMTP server main
   configuration file. Directives must be specifically compatible with
   Postfix, and are treated verbatim (multi-line string will suffice).
 **mail_server_tls_protocols** (list, optional, ``[ "TLSv1.2" ]``)
   List of TLS protocols the mail server should support. Each value specified
   should be compatible with Postfix configuration option
   ``smtpd_tls_mandatory_protocols`` and Dovecot configuration option
   ``ssl_protocols``.
 **mail_server_tls_ciphers** (string, optional ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:!aNULL:!MD5:!EXPORT``)
   TLS ciphers to enable on the mail server (for IMAP and SMTP submission). This
   should be an OpenSSL-compatible cipher specification. Value should be

roles/mail_server/defaults/main.yml

➞

Show inline comments

@@ @@ -8,8 +8,7 @@ mail_postmaster: "postmaster@{{ ansible_domain }}" @@
 smtp_allow_relay_from: []
 local_mail_aliases: {}
 imap_max_user_connections_per_ip: 10
 mail_server_tls_protocols:
   - "TLSv1.2"
 mail_server_minimum_tls_protocol: "TLSv1.2"
 mail_server_tls_ciphers: "\
 DHE-RSA-AES128-GCM-SHA256:\
 DHE-RSA-AES256-GCM-SHA384:\
@@ @@ -20,3 +19,16 @@ ECDHE-RSA-CHACHA20-POLY1305:\ @@
 !aNULL:!MD5:!EXPORT"
 mail_message_size_limit: 10240000
 mail_server_smtp_additional_configuration: ""
 # Internal use only.
 # Map Postfix smtpd allowed protocols based on minimum protocol
 # specified (for use with submission port smtpd instance). A bit
 # repetative, but easy to understand.
 mail_server_smtpd_submission_protocols:
   SSLv2: ["SSLv2", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
   SSLv3: ["SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
   TLSv1: ["TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
   TLSv1.1: ["TLSv1.1", "TLSv1.2", "TLSv1.3"]
   TLSv1.2: ["TLSv1.2", "TLSv1.3"]
   TLSv1.3: ["TLSv1.3"]

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

@@ @@ -5,9 +5,7 @@ mail_ldap_url: ldap://ldap-server/ @@
 mail_ldap_tls_truststore: "{{ lookup('file', 'tests/data/x509/ca/chain-full.cert.pem') }}"
 mail_ldap_postfix_password: postfixpassword
 mail_ldap_dovecot_password: dovecotpassword
 mail_server_tls_protocols:
   - TLSv1.2
   - TLSv1.1
 mail_server_minimum_tls_protocol: TLSv1.1
 mail_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:\
 DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:\
 ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:!aNULL:!MD5:!EXPORT"

roles/mail_server/molecule/default/tests/test_default.py

➞

Show inline comments

@@ @@ -705,3 +705,17 @@ def test_smtp_default_port_tls_version_and_ciphers(host): @@
     assert tls_versions == expected_tls_versions
     assert tls_ciphers == expected_tls_ciphers[distribution_release]
 def test_dovecot_warnings(host):
     """
     Tests if Dovecot is reporting any warnings.
     """
     with host.sudo():
         # Use invocation ID to get service logs since last restart.
         invocation_id = host.run("systemctl show -p InvocationID --value dovecot").stdout.strip()
         invocation_logs = host.run("journalctl INVOCATION_ID=%s + _SYSTEMD_INVOCATION_ID=%s", invocation_id, invocation_id)
         assert "doveconf: Warning" not in invocation_logs.stdout

roles/mail_server/templates/99-local.conf.j2

➞

Show inline comments

@@ @@ -32,7 +32,7 @@ service auth { @@
 ssl_cert = </etc/ssl/certs/{{ ansible_fqdn }}_imap.pem
 ssl_key = </etc/ssl/private/{{ ansible_fqdn }}_imap.key
 ssl_dh=</etc/ssl/private/{{ inventory_hostname }}_imap.dh.pem
-ssl_protocols = {{ mail_server_tls_protocols | join(' ') }}
+ssl_min_protocol = {{ mail_server_minimum_tls_protocol }}
 ssl_cipher_list = {{ mail_server_tls_ciphers }}
 ssl = required

roles/mail_server/templates/master.cf.j2

➞

Show inline comments

@@ @@ -133,6 +133,6 @@ submission inet n - y - - smtpd @@
   -o smtpd_tls_auth_only=yes
   -o smtpd_recipient_restrictions=
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-  -o smtpd_tls_mandatory_protocols={{ mail_server_tls_protocols | join(',') }}
+  -o smtpd_tls_mandatory_protocols={{ mail_server_smtpd_submission_protocols[mail_server_minimum_tls_protocol] | join(',') }}
   -o smtpd_tls_mandatory_ciphers=high
   -o tls_high_cipherlist={{ mail_server_tls_ciphers }}

testsite/group_vars/mail.yml

➞

Show inline comments

@@ @@ -32,9 +32,7 @@ smtp_allow_relay_from: @@
 imap_max_user_connections_per_ip: 50
 mail_server_tls_protocols:
   - TLSv1.2
   - TLSv1.1
 mail_server_minimum_tls_protocol: TLSv1.1
 mail_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:\
 DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:\

0 comments (0 inline, 0 general)