postfix: disable vulnerable SSL and TLS versions

A recent security scan noted that we were still supporting vulnerable SSL and TLS versions in addition to using obsolete or vulnerable ciphers. This change disables them. Change-Id: I4ca439beccf32d3f6ba7f788ea9e9b8723d1eecf Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org> Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46277
author: Kelley Spoon <kelley.spoon@linaro.org> 2023-11-28 07:34:06 -0600
committer: Kelley Spoon <kelley.spoon@linaro.org> 2023-11-28 16:06:34 +0000
commit: 4a7d5d9b6d6609401db2c6a15ab48d585977fb3c (patch)
tree: cd9adec09a6107af962ef42130f96539152ee8e7
parent: 61c42a4416c7a32b8baa208511a3bc9e049ba67d (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/roles/postfix/templates/main.cf b/roles/postfix/templates/main.cf
index 79364bab..374a625b 100644
--- a/roles/postfix/templates/main.cf
+++ b/roles/postfix/templates/main.cf
@@ -53,7 +53,9 @@ smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
 smtp_sasl_security_options = noanonymous
 smtp_use_tls = yes
 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
-smtp_tls_security_level = encrypt
+smtpd_tls_security_level = encrypt
+smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
+smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
 smtp_tls_note_starttls_offer = yes
 smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
 {% endif %}
author	Kelley Spoon <kelley.spoon@linaro.org>	2023-11-28 07:34:06 -0600
committer	Kelley Spoon <kelley.spoon@linaro.org>	2023-11-28 16:06:34 +0000
commit	4a7d5d9b6d6609401db2c6a15ab48d585977fb3c (patch)
tree	cd9adec09a6107af962ef42130f96539152ee8e7
parent	61c42a4416c7a32b8baa208511a3bc9e049ba67d (diff)