try this patch set on for size to get tls working with smtp

author: Stephen Smoogen <smooge@redhat.com> 2016-09-27 01:10:46 +0000
committer: Stephen Smoogen <smooge@redhat.com> 2016-09-27 01:10:46 +0000
commit: d2764137e5f3b3786e7cffa15c4902dfc3ef0bf5 (patch)
tree: 24b447f97ed8183d11d8ce00ebe758fa8e8ba21f /roles/base/files
parent: 9cd58bad250e5d551d1704bb106af3f6a2e3ce85 (diff)
download: ansible-d2764137e5f3b3786e7cffa15c4902dfc3ef0bf5.tar.gz
ansible-d2764137e5f3b3786e7cffa15c4902dfc3ef0bf5.tar.xz
ansible-d2764137e5f3b3786e7cffa15c4902dfc3ef0bf5.zip
1 files changed, 39 insertions, 0 deletions
diff --git a/roles/base/files/postfix/main.cf/main.cf.gateway b/roles/base/files/postfix/main.cf/main.cf.gateway
index 37b6a8733..7a8832a77 100644
--- a/roles/base/files/postfix/main.cf/main.cf.gateway
+++ b/roles/base/files/postfix/main.cf/main.cf.gateway
@@ -703,3 +703,42 @@ local_header_rewrite_clients = static:all
 
 
 message_size_limit = 20971520
+
+
+## TLS
+# enable opportunistic TLS support in the SMTP server
+smtpd_use_tls = yes
+smtpd_tls_security_level = may
+smtpd_tls_auth_only = yes
+smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
+smtpd_tls_mandatory_ciphers = high
+smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5, RC4
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+tls_ssl_options = no_ticket, no_compression
+
+smtpd_tls_loglevel = 1
+smtpd_tls_cert_file = /etc/pki/tls/certs/bastion.fedoraproject.org.csr
+smtpd_tls_key_file = /etc/pki/tls/private/bastion.fedoraproject.org.key
+smtpd_tls_CAfile  = /etc/pki/tls/certs/ca-bundle.crt
+smtpd_tls_session_cache_timeout = 3600s
+smtpd_tls_session_cache_database        = btree:${queue_directory}/smtpd_scache
+smtpd_tls_received_header               = yes
+smtpd_tls_ask_ccert                     = yes
+smtpd_tls_received_header = yes
+tls_random_source                       = dev:/dev/urandom
+smtpd_tls_eecdh_grade = ultra
+tls_eecdh_strong_curve = prime256v1
+tls_eecdh_ultra_curve = secp384r1
+# TLS end
+#TLS Client
+smtp_tls_fingerprint_digest=sha1
+smtp_tls_note_starttls_offer = yes
+smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
+smtp_tls_security_level = may
+smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
+smtp_tls_mandatory_ciphers = high
+smtp_tls_mandatory_exclude_ciphers= aNULL, MD5, RC4
+smtp_tls_loglevel = 1
+smtp_tls_cert_file = /etc/pki/tls/certs/bastion.fedoraproject.org.csr
+smtp_tls_key_file = /etc/pki/tls/private/bastion.fedoraproject.org.key
+smtp_tls_CAfile  = /etc/pki/tls/certs/ca-bundle.crt
author	Stephen Smoogen <smooge@redhat.com>	2016-09-27 01:10:46 +0000
committer	Stephen Smoogen <smooge@redhat.com>	2016-09-27 01:10:46 +0000
commit	d2764137e5f3b3786e7cffa15c4902dfc3ef0bf5 (patch)
tree	24b447f97ed8183d11d8ce00ebe758fa8e8ba21f /roles/base/files
parent	9cd58bad250e5d551d1704bb106af3f6a2e3ce85 (diff)
download	ansible-d2764137e5f3b3786e7cffa15c4902dfc3ef0bf5.tar.gz ansible-d2764137e5f3b3786e7cffa15c4902dfc3ef0bf5.tar.xz ansible-d2764137e5f3b3786e7cffa15c4902dfc3ef0bf5.zip