diff options
author | Kelley Spoon <kelley.spoon@linaro.org> | 2023-11-28 07:34:06 -0600 |
---|---|---|
committer | Kelley Spoon <kelley.spoon@linaro.org> | 2023-11-28 16:06:34 +0000 |
commit | 4a7d5d9b6d6609401db2c6a15ab48d585977fb3c (patch) | |
tree | cd9adec09a6107af962ef42130f96539152ee8e7 | |
parent | 61c42a4416c7a32b8baa208511a3bc9e049ba67d (diff) |
postfix: disable vulnerable SSL and TLS versions
A recent security scan noted that we were still supporting
vulnerable SSL and TLS versions in addition to using
obsolete or vulnerable ciphers.
This change disables them.
Change-Id: I4ca439beccf32d3f6ba7f788ea9e9b8723d1eecf
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46277
-rw-r--r-- | roles/postfix/templates/main.cf | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/roles/postfix/templates/main.cf b/roles/postfix/templates/main.cf index 79364bab..374a625b 100644 --- a/roles/postfix/templates/main.cf +++ b/roles/postfix/templates/main.cf @@ -53,7 +53,9 @@ smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_use_tls = yes smtp_tls_policy_maps = hash:/etc/postfix/tls_policy -smtp_tls_security_level = encrypt +smtpd_tls_security_level = encrypt +smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 +smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL smtp_tls_note_starttls_offer = yes smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt {% endif %} |