diff --git a/dovecot/defaults/main.yml b/dovecot/defaults/main.yml
index 9c147a9d19eda065d5da70e23ad87915ae8391af..f2b867cfc0cd3c676d3d541d294b4f42abd3e489 100644
--- a/dovecot/defaults/main.yml
+++ b/dovecot/defaults/main.yml
@@ -14,9 +14,10 @@ dovecot_max_uid: 0
dovecot_tls_cert: /etc/ssl/private/fullchain.pem
dovecot_tls_key: /etc/ssl/private/privkey.pem
dovecot_tls_ca_dir: /etc/ssl/certs
-dovecot_tls_ciphers: "{{ tls_ciphers }}"
-dovecot_tls_dh_length: 4096
-dovecot_tls_protocols: 'TLSv1.1 TLSv1.2 !SSLv3'
+
+# possible values: modern, intermediate, old, previous
+# see also: https://ssl-config.mozilla.org/
+dovecot_tls_configuration: 'previous'
dovecot_dsync: false
dovecot_dsync_tls: false
diff --git a/dovecot/files/ffdhe2048.txt b/dovecot/files/ffdhe2048.txt
new file mode 100644
index 0000000000000000000000000000000000000000..088f9673dc88721909c0952a0986bdc2cc112bdd
--- /dev/null
+++ b/dovecot/files/ffdhe2048.txt
@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
\ No newline at end of file
diff --git a/dovecot/files/ffdhe4096.txt b/dovecot/files/ffdhe4096.txt
new file mode 100644
index 0000000000000000000000000000000000000000..c5ebc5f55c99098e8e1fae168d956ad26be248c6
--- /dev/null
+++ b/dovecot/files/ffdhe4096.txt
@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
+IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
+awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
+mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
+fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
+5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
+fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
+ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
+ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
++S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
+HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0BjGZ//////////8CAQI=
+-----END DH PARAMETERS-----
\ No newline at end of file
diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml
index 9148c20fcb5f2256868b26504483622304783b32..0102bde55ddafc6eed05f92b4c7a2361266b7196 100644
--- a/dovecot/tasks/main.yml
+++ b/dovecot/tasks/main.yml
@@ -1,5 +1,12 @@
---
+- name: "include tls config vars (preset: {{ dovecot_tls_configuration }})"
+ include_vars:
+ file: "tls-{{ dovecot_tls_configuration }}.yml"
+ tags:
+ - dovecot
+ - mail
+
- name: ensure all required dovecot packages are installed
apt:
name:
@@ -36,6 +43,20 @@
- dovecot
- mail
+- name: ensure dh params are available
+ copy:
+ src: "{{ dovecot_tls_dh_file }}"
+ dest: /etc/dovecot/dh.pem
+ owner: root
+ group: root
+ mode: '0644'
+ when: dovecot_tls_dh_file is string
+ notify:
+ - restart dovecot
+ tags:
+ - dovecot
+ - mail
+
- name: ensure there is a folder for global sieve scripts
file:
dest: /var/lib/dovecot/sieve.d
diff --git a/dovecot/templates/conf.d/10-ssl.conf.j2 b/dovecot/templates/conf.d/10-ssl.conf.j2
index 54bfbc81f138c79f269f054d846e0d93db48611e..a46162095dd4b9774872b6305012efa02a492566 100644
--- a/dovecot/templates/conf.d/10-ssl.conf.j2
+++ b/dovecot/templates/conf.d/10-ssl.conf.j2
@@ -42,18 +42,39 @@ ssl_client_ca_dir = {{ dovecot_tls_ca_dir }}
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
+{% if ansible_distribution_major_version|int < 10 %}
# DH parameters length to use.
+{% if dovecot_tls_dh_length %}
ssl_dh_parameters_length = {{ dovecot_tls_dh_length }}
+{% else %}
+#ssl_dh_parameters_length =
+{% endif %}
+{% else %}
+# DH parameters to use.
+{% if dovecot_tls_dh_file %}
+ssl_dh = </etc/dovecot/dh.pem
+{% else %}
+#ssl_dh =
+{% endif %}
+{% endif %}
+{% if ansible_distribution_major_version|int < 10 %}
# SSL protocols to use
ssl_protocols = {{ dovecot_tls_protocols }}
+{% else %}
+# Minimum TLS version to use
+ssl_min_protocol = {{ dovecot_tls_min_protocol }}
+{% endif %}
# SSL ciphers to use
-#ssl_cipher_list = HIGH:!LOW:!SSLv2:!EXP:!aNULL:!MD5:!RC4:!SHA1
+{% if dovecot_tls_ciphers %}
ssl_cipher_list = {{ dovecot_tls_ciphers }}
+{% else %}
+#ssl_cipher_list =
+{% endif %}
# Prefer the server's order of ciphers over client's.
-ssl_prefer_server_ciphers = yes
+ssl_prefer_server_ciphers = {{ 'yes' if dovecot_tls_prefer_server_ciphers else 'no' }}
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =
diff --git a/dovecot/vars/tls-intermediate.yml b/dovecot/vars/tls-intermediate.yml
new file mode 100644
index 0000000000000000000000000000000000000000..dcb1468abcf9e3fa43203779d4188905a0338c8a
--- /dev/null
+++ b/dovecot/vars/tls-intermediate.yml
@@ -0,0 +1,8 @@
+---
+
+dovecot_tls_protocols: 'TLSv1.2 TLSv1.3'
+dovecot_tls_min_protocol: 'TLSv1.2'
+dovecot_tls_ciphers: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
+dovecot_tls_dh_length: 4096 # 2048
+dovecot_tls_dh_file: ffdhe4096.txt # ffdhe2048.txt
+dovecot_tls_prefer_server_ciphers: false
diff --git a/dovecot/vars/tls-modern.yml b/dovecot/vars/tls-modern.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ef71bddb98777422cf9a04a18b35128955dc6bbe
--- /dev/null
+++ b/dovecot/vars/tls-modern.yml
@@ -0,0 +1,8 @@
+---
+
+dovecot_tls_protocols: 'TLSv1.3'
+dovecot_tls_min_protocol: 'TLSv1.3'
+dovecot_tls_ciphers: null
+dovecot_tls_dh_length: null
+dovecot_tls_dh_file: null
+dovecot_tls_prefer_server_ciphers: false
diff --git a/dovecot/vars/tls-old.yml b/dovecot/vars/tls-old.yml
new file mode 100644
index 0000000000000000000000000000000000000000..936012fb4b37051210f911087cb256db0bff2841
--- /dev/null
+++ b/dovecot/vars/tls-old.yml
@@ -0,0 +1,8 @@
+---
+
+dovecot_tls_protocols: 'TLSv1 TLSv1.1 TLSv1.2 !SSLv3'
+dovecot_tls_min_protocol: 'TLSv1'
+dovecot_tls_ciphers: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA'
+dovecot_tls_dh_length: 2048 # 1024
+dovecot_tls_dh_file: ffdhe2048.txt # openssl dhparam 1024 > ffdhe1024.txt
+dovecot_tls_prefer_server_ciphers: true
diff --git a/dovecot/vars/tls-previous.yml b/dovecot/vars/tls-previous.yml
new file mode 100644
index 0000000000000000000000000000000000000000..82d3f36845aee92078fafdd7c31e257fd7efdb02
--- /dev/null
+++ b/dovecot/vars/tls-previous.yml
@@ -0,0 +1,8 @@
+---
+
+dovecot_tls_protocols: 'TLSv1.1 TLSv1.2 !SSLv3'
+dovecot_tls_min_protocol: 'TLSv1.1'
+dovecot_tls_ciphers: "{{ tls_ciphers }}"
+dovecot_tls_dh_length: 4096
+dovecot_tls_dh_file: ffdhe4096.txt # ffdhe2048.txt
+dovecot_tls_prefer_server_ciphers: true
diff --git a/postfix/defaults/main.yml b/postfix/defaults/main.yml
index 416ef41d6a4d36aed31cb748e63855d3c08d89cb..bf3b04160adf364ecf54099deef7472105ad0777 100644
--- a/postfix/defaults/main.yml
+++ b/postfix/defaults/main.yml
@@ -6,8 +6,10 @@ postfix_virtual_domains: []
postfix_tls_cert: /etc/ssl/private/fullchain.pem
postfix_tls_key: /etc/ssl/private/privkey.pem
-postfix_tls_ciphers: "{{ tls_ciphers }}"
-postfix_tls_protocols: '!SSLv2 !SSLv3'
+
+# possible values: modern, intermediate, old, previous
+# see also: https://ssl-config.mozilla.org/
+postfix_tls_configuration: 'previous'
postfix_prefer_lmtp: false
postfix_enable_memcached: false
diff --git a/postfix/files/ffdhe2048.txt b/postfix/files/ffdhe2048.txt
new file mode 100644
index 0000000000000000000000000000000000000000..088f9673dc88721909c0952a0986bdc2cc112bdd
--- /dev/null
+++ b/postfix/files/ffdhe2048.txt
@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
\ No newline at end of file
diff --git a/postfix/files/ffdhe4096.txt b/postfix/files/ffdhe4096.txt
new file mode 100644
index 0000000000000000000000000000000000000000..c5ebc5f55c99098e8e1fae168d956ad26be248c6
--- /dev/null
+++ b/postfix/files/ffdhe4096.txt
@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
+IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
+awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
+mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
+fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
+5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
+fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
+ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
+ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
++S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
+HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0BjGZ//////////8CAQI=
+-----END DH PARAMETERS-----
\ No newline at end of file
diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml
index 089e0dd0f079b7ac2817b60af2e65d211ce4880d..3f19f4743a5cb4983f95ae36cda871870b2da13a 100644
--- a/postfix/tasks/main.yml
+++ b/postfix/tasks/main.yml
@@ -1,5 +1,12 @@
---
+- name: "include tls config vars (preset: {{ postfix_tls_configuration }})"
+ include_vars:
+ file: "tls-{{ postfix_tls_configuration }}.yml"
+ tags:
+ - postfix
+ - mail
+
- name: ensure all required postfix packages are installed
apt:
name:
@@ -35,6 +42,20 @@
- postfix
- mail
+- name: ensure dh params are available
+ copy:
+ src: "{{ postfix_tls_dh_file }}"
+ dest: /etc/postfix/dh.pem
+ owner: root
+ group: root
+ mode: '0644'
+ when: postfix_tls_dh_file is string
+ notify:
+ - restart postfix
+ tags:
+ - postfix
+ - mail
+
- name: ensure memcached config is present
template:
src: memcached.conf.j2
diff --git a/postfix/templates/main.cf.j2 b/postfix/templates/main.cf.j2
index b891d06cabac1898f6f96f2a3234746c09aafa44..7034c73d8f87e0f42b0dbbeb218c0c65b96ee1c4 100644
--- a/postfix/templates/main.cf.j2
+++ b/postfix/templates/main.cf.j2
@@ -38,16 +38,32 @@ smtpd_relay_restrictions =
defer_unauth_destination
smtpd_use_tls = yes
+smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = {{ postfix_tls_cert }}
smtpd_tls_key_file = {{ postfix_tls_key }}
-smtpd_tls_eecdh_grade = ultra
-smtpd_tls_mandatory_ciphers = high
-smtpd_tls_mandatory_protocols = {{ postfix_tls_protocols }}
-smtpd_tls_protocols = {{ postfix_tls_protocols }}
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
-tls_high_cipherlist = {{ postfix_tls_ciphers }}
+smtpd_tls_protocols = {{ postfix_tls_protocols }}
+smtpd_tls_mandatory_protocols = {{ postfix_tls_protocols }}
+{% if postfix_tls_mandatory_ciphers %}
+smtpd_tls_mandatory_ciphers = {{ postfix_tls_mandatory_ciphers }}
+{% endif %}
+{% if postfix_tls_preempt_cipherlist %}
+tls_preempt_cipherlist = {{ 'yes' if postfix_tls_preempt_cipherlist else 'no' }}
+{% endif %}
+{% if postfix_tls_eecdh_grade %}
+smtpd_tls_eecdh_grade = {{ postfix_tls_eecdh_grade }}
+{% endif %}
+{% if postfix_tls_high_cipherlist %}
+tls_high_cipherlist = {{ postfix_tls_high_cipherlist }}
+{% endif %}
+{% if postfix_tls_medium_cipherlist %}
+tls_medium_cipherlist = {{ postfix_tls_medium_cipherlist }}
+{% endif %}
+{% if postfix_tls_dh_file %}
+smtpd_tls_dh1024_param_file = /etc/postfix/dh.pem
+{% endif %}
alias_maps = cdb:/etc/aliases
alias_database = cdb:/etc/aliases
diff --git a/postfix/vars/tls-intermediate.yml b/postfix/vars/tls-intermediate.yml
new file mode 100644
index 0000000000000000000000000000000000000000..588343d93a5b0796805225e147e8af819aabdc89
--- /dev/null
+++ b/postfix/vars/tls-intermediate.yml
@@ -0,0 +1,9 @@
+---
+
+postfix_tls_protocols: '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
+postfix_tls_mandatory_ciphers: medium
+postfix_tls_preempt_cipherlist: false
+postfix_tls_eecdh_grade: null
+postfix_tls_high_cipherlist: null
+postfix_tls_dh_file: ffdhe2048.txt # ffdhe4096.txt
+postfix_tls_medium_cipherlist: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
diff --git a/postfix/vars/tls-modern.yml b/postfix/vars/tls-modern.yml
new file mode 100644
index 0000000000000000000000000000000000000000..2a2c9e7a70eefd8698b866a13d467265e5965766
--- /dev/null
+++ b/postfix/vars/tls-modern.yml
@@ -0,0 +1,9 @@
+---
+
+postfix_tls_protocols: '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2'
+postfix_tls_mandatory_ciphers: null
+postfix_tls_preempt_cipherlist: false
+postfix_tls_eecdh_grade: null
+postfix_tls_high_cipherlist: null
+postfix_tls_medium_cipherlist: null
+postfix_tls_dh_file: null
diff --git a/postfix/vars/tls-old.yml b/postfix/vars/tls-old.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a15cdc41553ce8761694b8cc39399fd3a985acd1
--- /dev/null
+++ b/postfix/vars/tls-old.yml
@@ -0,0 +1,9 @@
+---
+
+postfix_tls_protocols: '!SSLv2, !SSLv3'
+postfix_tls_mandatory_ciphers: medium
+postfix_tls_preempt_cipherlist: true
+postfix_tls_eecdh_grade: null
+postfix_tls_high_cipherlist: null
+postfix_tls_dh_file: ffdhe2048.txt # ffdhe4096.txt
+postfix_tls_medium_cipherlist: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA'
diff --git a/postfix/vars/tls-previous.yml b/postfix/vars/tls-previous.yml
new file mode 100644
index 0000000000000000000000000000000000000000..959869399132c412654c435add52bc1ebf7a9afc
--- /dev/null
+++ b/postfix/vars/tls-previous.yml
@@ -0,0 +1,9 @@
+---
+
+postfix_tls_protocols: '!SSLv2 !SSLv3'
+postfix_tls_mandatory_ciphers: high
+postfix_tls_preempt_cipherlist: null
+postfix_tls_eecdh_grade: ultra
+postfix_tls_high_cipherlist: "{{ tls_ciphers }}"
+postfix_tls_medium_cipherlist: null
+postfix_tls_dh_file: null