From 7c3b8ad95412f61981cd9255bb9e1c44a41babab Mon Sep 17 00:00:00 2001
From: Lars Beckers <lars.beckers@rwth-aachen.de>
Date: Fri, 19 Jul 2019 17:03:15 +0200
Subject: [PATCH] postfix: preset-based tls config, new presets

---
 postfix/defaults/main.yml         |  6 ++++--
 postfix/tasks/main.yml            | 21 +++++++++++++++++++++
 postfix/templates/main.cf.j2      | 26 +++++++++++++++++++++-----
 postfix/vars/tls-intermediate.yml |  9 +++++++++
 postfix/vars/tls-modern.yml       |  9 +++++++++
 postfix/vars/tls-old.yml          |  9 +++++++++
 postfix/vars/tls-previous.yml     |  9 +++++++++
 7 files changed, 82 insertions(+), 7 deletions(-)
 create mode 100644 postfix/vars/tls-intermediate.yml
 create mode 100644 postfix/vars/tls-modern.yml
 create mode 100644 postfix/vars/tls-old.yml
 create mode 100644 postfix/vars/tls-previous.yml

diff --git a/postfix/defaults/main.yml b/postfix/defaults/main.yml
index 416ef41..bf3b041 100644
--- a/postfix/defaults/main.yml
+++ b/postfix/defaults/main.yml
@@ -6,8 +6,10 @@ postfix_virtual_domains: []
 
 postfix_tls_cert: /etc/ssl/private/fullchain.pem
 postfix_tls_key: /etc/ssl/private/privkey.pem
-postfix_tls_ciphers: "{{ tls_ciphers }}"
-postfix_tls_protocols: '!SSLv2 !SSLv3'
+
+# possible values: modern, intermediate, old, previous
+# see also: https://ssl-config.mozilla.org/
+postfix_tls_configuration: 'previous'
 
 postfix_prefer_lmtp: false
 postfix_enable_memcached: false
diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml
index 089e0dd..3f19f47 100644
--- a/postfix/tasks/main.yml
+++ b/postfix/tasks/main.yml
@@ -1,5 +1,12 @@
 ---
 
+- name: "include tls config vars (preset: {{ postfix_tls_configuration }})"
+  include_vars:
+    file: "tls-{{ postfix_tls_configuration }}.yml"
+  tags:
+    - postfix
+    - mail
+
 - name: ensure all required postfix packages are installed
   apt:
     name:
@@ -35,6 +42,20 @@
     - postfix
     - mail
 
+- name: ensure dh params are available
+  copy:
+    src: "{{ postfix_tls_dh_file }}"
+    dest: /etc/postfix/dh.pem
+    owner: root
+    group: root
+    mode: '0644'
+  when: postfix_tls_dh_file is string
+  notify:
+    - restart postfix
+  tags:
+    - postfix
+    - mail
+
 - name: ensure memcached config is present
   template:
     src: memcached.conf.j2
diff --git a/postfix/templates/main.cf.j2 b/postfix/templates/main.cf.j2
index b891d06..7034c73 100644
--- a/postfix/templates/main.cf.j2
+++ b/postfix/templates/main.cf.j2
@@ -38,16 +38,32 @@ smtpd_relay_restrictions =
 	defer_unauth_destination
 
 smtpd_use_tls = yes
+smtpd_tls_security_level = may
 smtpd_tls_auth_only = yes
 smtpd_tls_cert_file = {{ postfix_tls_cert }}
 smtpd_tls_key_file = {{ postfix_tls_key }}
-smtpd_tls_eecdh_grade = ultra
-smtpd_tls_mandatory_ciphers = high
-smtpd_tls_mandatory_protocols = {{ postfix_tls_protocols }}
-smtpd_tls_protocols = {{ postfix_tls_protocols }}
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
-tls_high_cipherlist = {{ postfix_tls_ciphers }}
+smtpd_tls_protocols = {{ postfix_tls_protocols }}
+smtpd_tls_mandatory_protocols = {{ postfix_tls_protocols }}
+{% if postfix_tls_mandatory_ciphers %}
+smtpd_tls_mandatory_ciphers = {{ postfix_tls_mandatory_ciphers }}
+{% endif %}
+{% if postfix_tls_preempt_cipherlist %}
+tls_preempt_cipherlist = {{ 'yes' if postfix_tls_preempt_cipherlist else 'no' }}
+{% endif %}
+{% if postfix_tls_eecdh_grade %}
+smtpd_tls_eecdh_grade = {{ postfix_tls_eecdh_grade }}
+{% endif %}
+{% if postfix_tls_high_cipherlist %}
+tls_high_cipherlist = {{ postfix_tls_high_cipherlist }}
+{% endif %}
+{% if postfix_tls_medium_cipherlist %}
+tls_medium_cipherlist = {{ postfix_tls_medium_cipherlist }}
+{% endif %}
+{% if postfix_tls_dh_file %}
+smtpd_tls_dh1024_param_file = /etc/postfix/dh.pem
+{% endif %}
 
 alias_maps = cdb:/etc/aliases
 alias_database = cdb:/etc/aliases
diff --git a/postfix/vars/tls-intermediate.yml b/postfix/vars/tls-intermediate.yml
new file mode 100644
index 0000000..588343d
--- /dev/null
+++ b/postfix/vars/tls-intermediate.yml
@@ -0,0 +1,9 @@
+---
+
+postfix_tls_protocols: '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
+postfix_tls_mandatory_ciphers: medium
+postfix_tls_preempt_cipherlist: false
+postfix_tls_eecdh_grade: null
+postfix_tls_high_cipherlist: null
+postfix_tls_dh_file: ffdhe2048.txt # ffdhe4096.txt
+postfix_tls_medium_cipherlist: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
diff --git a/postfix/vars/tls-modern.yml b/postfix/vars/tls-modern.yml
new file mode 100644
index 0000000..2a2c9e7
--- /dev/null
+++ b/postfix/vars/tls-modern.yml
@@ -0,0 +1,9 @@
+---
+
+postfix_tls_protocols: '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2'
+postfix_tls_mandatory_ciphers: null
+postfix_tls_preempt_cipherlist: false
+postfix_tls_eecdh_grade: null
+postfix_tls_high_cipherlist: null
+postfix_tls_medium_cipherlist: null
+postfix_tls_dh_file: null
diff --git a/postfix/vars/tls-old.yml b/postfix/vars/tls-old.yml
new file mode 100644
index 0000000..a15cdc4
--- /dev/null
+++ b/postfix/vars/tls-old.yml
@@ -0,0 +1,9 @@
+---
+
+postfix_tls_protocols: '!SSLv2, !SSLv3'
+postfix_tls_mandatory_ciphers: medium
+postfix_tls_preempt_cipherlist: true
+postfix_tls_eecdh_grade: null
+postfix_tls_high_cipherlist: null
+postfix_tls_dh_file: ffdhe2048.txt # ffdhe4096.txt
+postfix_tls_medium_cipherlist: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA'
diff --git a/postfix/vars/tls-previous.yml b/postfix/vars/tls-previous.yml
new file mode 100644
index 0000000..9598693
--- /dev/null
+++ b/postfix/vars/tls-previous.yml
@@ -0,0 +1,9 @@
+---
+
+postfix_tls_protocols: '!SSLv2 !SSLv3'
+postfix_tls_mandatory_ciphers: high
+postfix_tls_preempt_cipherlist: null
+postfix_tls_eecdh_grade: ultra
+postfix_tls_high_cipherlist: "{{ tls_ciphers }}"
+postfix_tls_medium_cipherlist: null
+postfix_tls_dh_file: null
-- 
GitLab