Skip to content
Snippets Groups Projects
Commit 90090b33 authored by Hinrikus Wolf's avatar Hinrikus Wolf
Browse files

Merge branch 'ext-2' into 'master'

Buster Compat and Improved TLS Settings

Dovecot updated some TLS parameters in their config file. This adds the new parameters in a backward compatible manner.

Prompted by that move, I also changed dovecot and postfix to a preset-based configuration of TLS. The default preset is `previous`, that should get you a equivalent configuration as before, regardless of being on stretch or buster (minus OpenSSL changes). Also, there are presets `modern`, `intermediate`, `old` directly from the new <https://ssl-config.mozilla.org>. But beware, at least dovecot currently errors on TLSv1.3-only `modern` although OpenSSL should be able to handle it. The preset **overrides** all manual configuration, so you should upgrade your custom variables.

Beware, that there are two **open bugs** on Debian's dovecot package which may impact your setup:
- [928492: doveadm errors on listing PAM users, because of a glibc change](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928492)
- [930919: dsync no longer syncs Sieve scripts](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930919)

For both bugs there is a patch on the dovecot repository that is already merged. But none made it into Debian yet.

See merge request !3
parents 28987fab 7c3b8ad9
No related branches found
No related tags found
1 merge request!3Buster Compat and Improved TLS Settings
Showing
with 204 additions and 12 deletions
......@@ -14,9 +14,10 @@ dovecot_max_uid: 0
dovecot_tls_cert: /etc/ssl/private/fullchain.pem
dovecot_tls_key: /etc/ssl/private/privkey.pem
dovecot_tls_ca_dir: /etc/ssl/certs
dovecot_tls_ciphers: "{{ tls_ciphers }}"
dovecot_tls_dh_length: 4096
dovecot_tls_protocols: 'TLSv1.1 TLSv1.2 !SSLv3'
# possible values: modern, intermediate, old, previous
# see also: https://ssl-config.mozilla.org/
dovecot_tls_configuration: 'previous'
dovecot_dsync: false
dovecot_dsync_tls: false
......
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----
\ No newline at end of file
-----BEGIN DH PARAMETERS-----
MIICCAKCAgEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
+S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0BjGZ//////////8CAQI=
-----END DH PARAMETERS-----
\ No newline at end of file
---
- name: "include tls config vars (preset: {{ dovecot_tls_configuration }})"
include_vars:
file: "tls-{{ dovecot_tls_configuration }}.yml"
tags:
- dovecot
- mail
- name: ensure all required dovecot packages are installed
apt:
name:
......@@ -36,6 +43,20 @@
- dovecot
- mail
- name: ensure dh params are available
copy:
src: "{{ dovecot_tls_dh_file }}"
dest: /etc/dovecot/dh.pem
owner: root
group: root
mode: '0644'
when: dovecot_tls_dh_file is string
notify:
- restart dovecot
tags:
- dovecot
- mail
- name: ensure there is a folder for global sieve scripts
file:
dest: /var/lib/dovecot/sieve.d
......
......@@ -42,18 +42,39 @@ ssl_client_ca_dir = {{ dovecot_tls_ca_dir }}
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
{% if ansible_distribution_major_version|int < 10 %}
# DH parameters length to use.
{% if dovecot_tls_dh_length %}
ssl_dh_parameters_length = {{ dovecot_tls_dh_length }}
{% else %}
#ssl_dh_parameters_length =
{% endif %}
{% else %}
# DH parameters to use.
{% if dovecot_tls_dh_file %}
ssl_dh = </etc/dovecot/dh.pem
{% else %}
#ssl_dh =
{% endif %}
{% endif %}
{% if ansible_distribution_major_version|int < 10 %}
# SSL protocols to use
ssl_protocols = {{ dovecot_tls_protocols }}
{% else %}
# Minimum TLS version to use
ssl_min_protocol = {{ dovecot_tls_min_protocol }}
{% endif %}
# SSL ciphers to use
#ssl_cipher_list = HIGH:!LOW:!SSLv2:!EXP:!aNULL:!MD5:!RC4:!SHA1
{% if dovecot_tls_ciphers %}
ssl_cipher_list = {{ dovecot_tls_ciphers }}
{% else %}
#ssl_cipher_list =
{% endif %}
# Prefer the server's order of ciphers over client's.
ssl_prefer_server_ciphers = yes
ssl_prefer_server_ciphers = {{ 'yes' if dovecot_tls_prefer_server_ciphers else 'no' }}
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =
......
---
dovecot_tls_protocols: 'TLSv1.2 TLSv1.3'
dovecot_tls_min_protocol: 'TLSv1.2'
dovecot_tls_ciphers: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
dovecot_tls_dh_length: 4096 # 2048
dovecot_tls_dh_file: ffdhe4096.txt # ffdhe2048.txt
dovecot_tls_prefer_server_ciphers: false
---
dovecot_tls_protocols: 'TLSv1.3'
dovecot_tls_min_protocol: 'TLSv1.3'
dovecot_tls_ciphers: null
dovecot_tls_dh_length: null
dovecot_tls_dh_file: null
dovecot_tls_prefer_server_ciphers: false
---
dovecot_tls_protocols: 'TLSv1 TLSv1.1 TLSv1.2 !SSLv3'
dovecot_tls_min_protocol: 'TLSv1'
dovecot_tls_ciphers: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA'
dovecot_tls_dh_length: 2048 # 1024
dovecot_tls_dh_file: ffdhe2048.txt # openssl dhparam 1024 > ffdhe1024.txt
dovecot_tls_prefer_server_ciphers: true
---
dovecot_tls_protocols: 'TLSv1.1 TLSv1.2 !SSLv3'
dovecot_tls_min_protocol: 'TLSv1.1'
dovecot_tls_ciphers: "{{ tls_ciphers }}"
dovecot_tls_dh_length: 4096
dovecot_tls_dh_file: ffdhe4096.txt # ffdhe2048.txt
dovecot_tls_prefer_server_ciphers: true
......@@ -6,8 +6,10 @@ postfix_virtual_domains: []
postfix_tls_cert: /etc/ssl/private/fullchain.pem
postfix_tls_key: /etc/ssl/private/privkey.pem
postfix_tls_ciphers: "{{ tls_ciphers }}"
postfix_tls_protocols: '!SSLv2 !SSLv3'
# possible values: modern, intermediate, old, previous
# see also: https://ssl-config.mozilla.org/
postfix_tls_configuration: 'previous'
postfix_prefer_lmtp: false
postfix_enable_memcached: false
......
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----
\ No newline at end of file
-----BEGIN DH PARAMETERS-----
MIICCAKCAgEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
+S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0BjGZ//////////8CAQI=
-----END DH PARAMETERS-----
\ No newline at end of file
---
- name: "include tls config vars (preset: {{ postfix_tls_configuration }})"
include_vars:
file: "tls-{{ postfix_tls_configuration }}.yml"
tags:
- postfix
- mail
- name: ensure all required postfix packages are installed
apt:
name:
......@@ -35,6 +42,20 @@
- postfix
- mail
- name: ensure dh params are available
copy:
src: "{{ postfix_tls_dh_file }}"
dest: /etc/postfix/dh.pem
owner: root
group: root
mode: '0644'
when: postfix_tls_dh_file is string
notify:
- restart postfix
tags:
- postfix
- mail
- name: ensure memcached config is present
template:
src: memcached.conf.j2
......
......@@ -38,16 +38,32 @@ smtpd_relay_restrictions =
defer_unauth_destination
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = {{ postfix_tls_cert }}
smtpd_tls_key_file = {{ postfix_tls_key }}
smtpd_tls_eecdh_grade = ultra
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = {{ postfix_tls_protocols }}
smtpd_tls_protocols = {{ postfix_tls_protocols }}
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
tls_high_cipherlist = {{ postfix_tls_ciphers }}
smtpd_tls_protocols = {{ postfix_tls_protocols }}
smtpd_tls_mandatory_protocols = {{ postfix_tls_protocols }}
{% if postfix_tls_mandatory_ciphers %}
smtpd_tls_mandatory_ciphers = {{ postfix_tls_mandatory_ciphers }}
{% endif %}
{% if postfix_tls_preempt_cipherlist %}
tls_preempt_cipherlist = {{ 'yes' if postfix_tls_preempt_cipherlist else 'no' }}
{% endif %}
{% if postfix_tls_eecdh_grade %}
smtpd_tls_eecdh_grade = {{ postfix_tls_eecdh_grade }}
{% endif %}
{% if postfix_tls_high_cipherlist %}
tls_high_cipherlist = {{ postfix_tls_high_cipherlist }}
{% endif %}
{% if postfix_tls_medium_cipherlist %}
tls_medium_cipherlist = {{ postfix_tls_medium_cipherlist }}
{% endif %}
{% if postfix_tls_dh_file %}
smtpd_tls_dh1024_param_file = /etc/postfix/dh.pem
{% endif %}
alias_maps = cdb:/etc/aliases
alias_database = cdb:/etc/aliases
......
---
postfix_tls_protocols: '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
postfix_tls_mandatory_ciphers: medium
postfix_tls_preempt_cipherlist: false
postfix_tls_eecdh_grade: null
postfix_tls_high_cipherlist: null
postfix_tls_dh_file: ffdhe2048.txt # ffdhe4096.txt
postfix_tls_medium_cipherlist: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
---
postfix_tls_protocols: '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2'
postfix_tls_mandatory_ciphers: null
postfix_tls_preempt_cipherlist: false
postfix_tls_eecdh_grade: null
postfix_tls_high_cipherlist: null
postfix_tls_medium_cipherlist: null
postfix_tls_dh_file: null
---
postfix_tls_protocols: '!SSLv2, !SSLv3'
postfix_tls_mandatory_ciphers: medium
postfix_tls_preempt_cipherlist: true
postfix_tls_eecdh_grade: null
postfix_tls_high_cipherlist: null
postfix_tls_dh_file: ffdhe2048.txt # ffdhe4096.txt
postfix_tls_medium_cipherlist: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA'
---
postfix_tls_protocols: '!SSLv2 !SSLv3'
postfix_tls_mandatory_ciphers: high
postfix_tls_preempt_cipherlist: null
postfix_tls_eecdh_grade: ultra
postfix_tls_high_cipherlist: "{{ tls_ciphers }}"
postfix_tls_medium_cipherlist: null
postfix_tls_dh_file: null
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment