Merge pull request #136 from Oefenweb/pr-123

Adding tls cipher enforcing configuration for smtp and smtpd
Oefenweb · Mar 20, 2024 · 2bd01fb · 2bd01fb
2 parents e5ec64d + df801e2
commit 2bd01fb
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -71,8 +71,17 @@ None
  * `postfix_smtpd_tls_key_file` [default: `/etc/ssl/certs/ssl-cert-snakeoil.key`]: Path to key file
 
  * `postfix_smtpd_security_level` [optional]: The SMTP TLS security level for the Postfix SMTP server ([see](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level))
+
+ * `postfix_smtp_tls_mandatory_ciphers` [optional]: The minimum TLS cipher grade that the Postfix SMTP client will use with mandatory TLS ([see](https://www.postfix.org/postconf.5.html#smtp_tls_mandatory_ciphers))
+ * `postfix_smtp_tls_mandatory_protocols` [optional]: TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption ([see](https://www.postfix.org/postconf.5.smtp_tls_mandatory_protocols))
+ * `postfix_smtp_tls_protocols` [optional]: TLS protocols that the Postfix SMTP client will use with opportunistic TLS encryption ([see](https://www.postfix.org/postconf.5.html#smtp_tls_protocols))
+ * `postfix_smtpd_tls_mandatory_ciphers` [optional]: The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory TLS encryption.  ([see](https://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_ciphers))
+ * `postfix_smtpd_tls_mandatory_protocols` [optional]: TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption ([see](https://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_protocols))
+ * `postfix_smtpd_tls_protocols` [optional]: TLS protocols accepted by the Postfix SMTP server with opportunistic TLS encryption ([see](https://www.postfix.org/postconf.5.html#smtpd_tls_protocols))
+
  * `postfix_raw_options` [default: `[]`]: List of lines (to pass extra (unsupported) configuration)
 
+
 ## Dependencies
 
 * `debconf`

diff --git a/templates/etc/postfix/main.cf.j2 b/templates/etc/postfix/main.cf.j2
@@ -32,6 +32,25 @@ smtpd_tls_security_level = {{ postfix_smtpd_tls_security_level }}
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
+{% if postfix_smtp_tls_mandatory_ciphers is defined %}
+smtp_tls_mandatory_ciphers = {{ postfix_smtp_tls_mandatory_ciphers }}
+{% endif %}
+{% if postfix_smtpd_tls_mandatory_ciphers is defined %}
+smtpd_tls_mandatory_ciphers = {{ postfix_smtpd_tls_mandatory_ciphers }}
+{% endif %}
+{% if postfix_smtpd_tls_mandatory_protocols is defined %}
+smtpd_tls_mandatory_protocols = {{ postfix_smtpd_tls_mandatory_protocols }}
+{% endif %}
+{% if postfix_smtpd_tls_protocols is defined %}
+smtpd_tls_protocols = {{ postfix_smtpd_tls_protocols  }}
+{% endif %}
+{% if postfix_smtp_tls_mandatory_protocols is defined %}
+smtp_tls_mandatory_protocols = {{ postfix_smtp_tls_mandatory_protocols }}
+{% endif %}
+{% if postfix_smtp_tls_protocols is defined %}
+smtp_tls_protocols = {{ postfix_smtp_tls_protocols }}
+{% endif %}
+
 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
 # information on enabling SSL in the smtp client.