From a3c96c403227b388df5418acc57ff0fc4df9f32e Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Jul 21 2022 23:33:25 +0000 Subject: postfix: gateway: consolidate tls settings and use chain-file. Signed-off-by: Kevin Fenzi --- diff --git a/roles/base/files/postfix/main.cf/main.cf.gateway b/roles/base/files/postfix/main.cf/main.cf.gateway index ee6a1eb..be4aaa5 100644 --- a/roles/base/files/postfix/main.cf/main.cf.gateway +++ b/roles/base/files/postfix/main.cf/main.cf.gateway @@ -714,39 +714,6 @@ sample_directory = /usr/share/doc/postfix/samples # readme_directory = /usr/share/doc/postfix/README_FILES -# TLS CONFIGURATION -# -# Basic Postfix TLS configuration by default with self-signed certificate -# for inbound SMTP and also opportunistic TLS for outbound SMTP. - -# The full pathname of a file with the Postfix SMTP server RSA certificate -# in PEM format. Intermediate certificates should be included in general, -# the server certificate first, then the issuing CA(s) (bottom-up order). -# -smtpd_tls_cert_file = /etc/pki/tls/certs/gateway.crt - -# The full pathname of a file with the Postfix SMTP server RSA private key -# in PEM format. The private key must be accessible without a pass-phrase, -# i.e. it must not be encrypted. -# -smtpd_tls_key_file = /etc/pki/tls/private/gateway.key - -# Announce STARTTLS support to remote SMTP clients, but do not require that -# clients use TLS encryption (opportunistic TLS inbound). -# -smtpd_tls_security_level = may - -# Directory with PEM format Certification Authority certificates that the -# Postfix SMTP client uses to verify a remote SMTP server certificate. -# -smtp_tls_CApath = /etc/pki/tls/certs - -# The full pathname of a file containing CA certificates of root CAs -# trusted to sign either remote SMTP server certificates or intermediate CA -# certificates. -# -smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt - ## TLS # enable opportunistic TLS support in the SMTP server smtpd_use_tls = yes @@ -755,12 +722,13 @@ smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5, RC4 smtpd_tls_loglevel = 1 -smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt +smtpd_tls_chain_files = /etc/pki/tls/private/gateway-chain.pem smtpd_tls_session_cache_timeout = 3600s smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes smtpd_tls_received_header = yes +smtpd_tls_security_level = may smtpd_tls_eecdh_grade = ultra # smtpd TLS end # smtp TLS Client @@ -771,9 +739,7 @@ smtp_tls_mandatory_protocols = !SSLv2,!SSLv3 smtp_tls_mandatory_ciphers = high smtp_tls_mandatory_exclude_ciphers= aNULL, MD5, RC4 smtp_tls_loglevel = 1 -smtp_tls_cert_file = /etc/pki/tls/certs/gateway.crt -smtp_tls_key_file = /etc/pki/tls/private/gateway.key -smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt +smtp_tls_chain_files = /etc/pki/tls/private/gateway-chain.pem smtp_tls_security_level = may smtp_tls_connection_reuse = no smtp_connection_cache_destinations = mx2.redhat.com,gmail.com,google.com,scrye.com,redhat.com