Commit 90090b33 authored by Hinrikus Wolf's avatar Hinrikus Wolf

Merge branch 'ext-2' into 'master'

Buster Compat and Improved TLS Settings

Dovecot updated some TLS parameters in their config file. This adds the new parameters in a backward compatible manner.

Prompted by that move, I also changed dovecot and postfix to a preset-based configuration of TLS. The default preset is `previous`, that should get you a equivalent configuration as before, regardless of being on stretch or buster (minus OpenSSL changes). Also, there are presets `modern`, `intermediate`, `old` directly from the new <https://ssl-config.mozilla.org>. But beware, at least dovecot currently errors on TLSv1.3-only `modern` although OpenSSL should be able to handle it. The preset **overrides** all manual configuration, so you should upgrade your custom variables.

Beware, that there are two **open bugs** on Debian's dovecot package which may impact your setup:
- [928492: doveadm errors on listing PAM users, because of a glibc change](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928492)
- [930919: dsync no longer syncs Sieve scripts](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930919)

For both bugs there is a patch on the dovecot repository that is already merged. But none made it into Debian yet.

See merge request !3
parents 28987fab 7c3b8ad9
......@@ -14,9 +14,10 @@ dovecot_max_uid: 0
dovecot_tls_cert: /etc/ssl/private/fullchain.pem
dovecot_tls_key: /etc/ssl/private/privkey.pem
dovecot_tls_ca_dir: /etc/ssl/certs
dovecot_tls_ciphers: "{{ tls_ciphers }}"
dovecot_tls_dh_length: 4096
dovecot_tls_protocols: 'TLSv1.1 TLSv1.2 !SSLv3'
# possible values: modern, intermediate, old, previous
# see also: https://ssl-config.mozilla.org/
dovecot_tls_configuration: 'previous'
dovecot_dsync: false
dovecot_dsync_tls: false
......
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----
\ No newline at end of file
-----BEGIN DH PARAMETERS-----
MIICCAKCAgEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
+S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0BjGZ//////////8CAQI=
-----END DH PARAMETERS-----
\ No newline at end of file
---
- name: "include tls config vars (preset: {{ dovecot_tls_configuration }})"
include_vars:
file: "tls-{{ dovecot_tls_configuration }}.yml"
tags:
- dovecot
- mail
- name: ensure all required dovecot packages are installed
apt:
name:
......@@ -36,6 +43,20 @@
- dovecot
- mail
- name: ensure dh params are available
copy:
src: "{{ dovecot_tls_dh_file }}"
dest: /etc/dovecot/dh.pem
owner: root
group: root
mode: '0644'
when: dovecot_tls_dh_file is string
notify:
- restart dovecot
tags:
- dovecot
- mail
- name: ensure there is a folder for global sieve scripts
file:
dest: /var/lib/dovecot/sieve.d
......
......@@ -42,18 +42,39 @@ ssl_client_ca_dir = {{ dovecot_tls_ca_dir }}
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
{% if ansible_distribution_major_version|int < 10 %}
# DH parameters length to use.
{% if dovecot_tls_dh_length %}
ssl_dh_parameters_length = {{ dovecot_tls_dh_length }}
{% else %}
#ssl_dh_parameters_length =
{% endif %}
{% else %}
# DH parameters to use.
{% if dovecot_tls_dh_file %}
ssl_dh = </etc/dovecot/dh.pem
{% else %}
#ssl_dh =
{% endif %}
{% endif %}
{% if ansible_distribution_major_version|int < 10 %}
# SSL protocols to use
ssl_protocols = {{ dovecot_tls_protocols }}
{% else %}
# Minimum TLS version to use
ssl_min_protocol = {{ dovecot_tls_min_protocol }}
{% endif %}
# SSL ciphers to use
#ssl_cipher_list = HIGH:!LOW:!SSLv2:!EXP:!aNULL:!MD5:!RC4:!SHA1
{% if dovecot_tls_ciphers %}
ssl_cipher_list = {{ dovecot_tls_ciphers }}
{% else %}
#ssl_cipher_list =
{% endif %}
# Prefer the server's order of ciphers over client's.
ssl_prefer_server_ciphers = yes
ssl_prefer_server_ciphers = {{ 'yes' if dovecot_tls_prefer_server_ciphers else 'no' }}
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =
......
---
dovecot_tls_protocols: 'TLSv1.2 TLSv1.3'
dovecot_tls_min_protocol: 'TLSv1.2'
dovecot_tls_ciphers: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
dovecot_tls_dh_length: 4096 # 2048
dovecot_tls_dh_file: ffdhe4096.txt # ffdhe2048.txt
dovecot_tls_prefer_server_ciphers: false
---
dovecot_tls_protocols: 'TLSv1.3'
dovecot_tls_min_protocol: 'TLSv1.3'
dovecot_tls_ciphers: null
dovecot_tls_dh_length: null
dovecot_tls_dh_file: null
dovecot_tls_prefer_server_ciphers: false
---
dovecot_tls_protocols: 'TLSv1 TLSv1.1 TLSv1.2 !SSLv3'
dovecot_tls_min_protocol: 'TLSv1'
dovecot_tls_ciphers: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA'
dovecot_tls_dh_length: 2048 # 1024
dovecot_tls_dh_file: ffdhe2048.txt # openssl dhparam 1024 > ffdhe1024.txt
dovecot_tls_prefer_server_ciphers: true
---
dovecot_tls_protocols: 'TLSv1.1 TLSv1.2 !SSLv3'
dovecot_tls_min_protocol: 'TLSv1.1'
dovecot_tls_ciphers: "{{ tls_ciphers }}"
dovecot_tls_dh_length: 4096
dovecot_tls_dh_file: ffdhe4096.txt # ffdhe2048.txt
dovecot_tls_prefer_server_ciphers: true
......@@ -6,8 +6,10 @@ postfix_virtual_domains: []
postfix_tls_cert: /etc/ssl/private/fullchain.pem
postfix_tls_key: /etc/ssl/private/privkey.pem
postfix_tls_ciphers: "{{ tls_ciphers }}"
postfix_tls_protocols: '!SSLv2 !SSLv3'
# possible values: modern, intermediate, old, previous
# see also: https://ssl-config.mozilla.org/
postfix_tls_configuration: 'previous'
postfix_prefer_lmtp: false
postfix_enable_memcached: false
......
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----
\ No newline at end of file
-----BEGIN DH PARAMETERS-----
MIICCAKCAgEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
+S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0BjGZ//////////8CAQI=
-----END DH PARAMETERS-----
\ No newline at end of file
---
- name: "include tls config vars (preset: {{ postfix_tls_configuration }})"
include_vars:
file: "tls-{{ postfix_tls_configuration }}.yml"
tags:
- postfix
- mail
- name: ensure all required postfix packages are installed
apt:
name:
......@@ -35,6 +42,20 @@
- postfix
- mail
- name: ensure dh params are available
copy:
src: "{{ postfix_tls_dh_file }}"
dest: /etc/postfix/dh.pem
owner: root
group: root
mode: '0644'
when: postfix_tls_dh_file is string
notify:
- restart postfix
tags:
- postfix
- mail
- name: ensure memcached config is present
template:
src: memcached.conf.j2
......
......@@ -38,16 +38,32 @@ smtpd_relay_restrictions =
defer_unauth_destination
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = {{ postfix_tls_cert }}
smtpd_tls_key_file = {{ postfix_tls_key }}
smtpd_tls_eecdh_grade = ultra
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = {{ postfix_tls_protocols }}
smtpd_tls_protocols = {{ postfix_tls_protocols }}
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
tls_high_cipherlist = {{ postfix_tls_ciphers }}
smtpd_tls_protocols = {{ postfix_tls_protocols }}
smtpd_tls_mandatory_protocols = {{ postfix_tls_protocols }}
{% if postfix_tls_mandatory_ciphers %}
smtpd_tls_mandatory_ciphers = {{ postfix_tls_mandatory_ciphers }}
{% endif %}
{% if postfix_tls_preempt_cipherlist %}
tls_preempt_cipherlist = {{ 'yes' if postfix_tls_preempt_cipherlist else 'no' }}
{% endif %}
{% if postfix_tls_eecdh_grade %}
smtpd_tls_eecdh_grade = {{ postfix_tls_eecdh_grade }}
{% endif %}
{% if postfix_tls_high_cipherlist %}
tls_high_cipherlist = {{ postfix_tls_high_cipherlist }}
{% endif %}
{% if postfix_tls_medium_cipherlist %}
tls_medium_cipherlist = {{ postfix_tls_medium_cipherlist }}
{% endif %}
{% if postfix_tls_dh_file %}
smtpd_tls_dh1024_param_file = /etc/postfix/dh.pem
{% endif %}
alias_maps = cdb:/etc/aliases
alias_database = cdb:/etc/aliases
......
---
postfix_tls_protocols: '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
postfix_tls_mandatory_ciphers: medium
postfix_tls_preempt_cipherlist: false
postfix_tls_eecdh_grade: null
postfix_tls_high_cipherlist: null
postfix_tls_dh_file: ffdhe2048.txt # ffdhe4096.txt
postfix_tls_medium_cipherlist: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
---
postfix_tls_protocols: '!SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2'
postfix_tls_mandatory_ciphers: null
postfix_tls_preempt_cipherlist: false
postfix_tls_eecdh_grade: null
postfix_tls_high_cipherlist: null
postfix_tls_medium_cipherlist: null
postfix_tls_dh_file: null
---
postfix_tls_protocols: '!SSLv2, !SSLv3'
postfix_tls_mandatory_ciphers: medium
postfix_tls_preempt_cipherlist: true
postfix_tls_eecdh_grade: null
postfix_tls_high_cipherlist: null
postfix_tls_dh_file: ffdhe2048.txt # ffdhe4096.txt
postfix_tls_medium_cipherlist: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA'
---
postfix_tls_protocols: '!SSLv2 !SSLv3'
postfix_tls_mandatory_ciphers: high
postfix_tls_preempt_cipherlist: null
postfix_tls_eecdh_grade: ultra
postfix_tls_high_cipherlist: "{{ tls_ciphers }}"
postfix_tls_medium_cipherlist: null
postfix_tls_dh_file: null
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment