Stricter TLS ciphersuites for Postfix (SMTP)

2024-09-17 16:53:39 +00:00 · 2024-09-17 16:53:39 +00:00 · a4f5536f12
commit a4f5536f12
parent 7784501da5
1 changed files with 10 additions and 1 deletions
--- a/roles/postfix/vars/main.yml
+++ b/roles/postfix/vars/main.yml
@ -353,6 +353,14 @@ postfix_config:
    value: 'aNULL'
    state: present

+  - name: smtpd_tls_mandatory_protocols
+    value: 'TLSv1.2 TLSv1.3'
+    state: present
+
+  - name: smtpd_tls_protocols
+    value: 'TLSv1.2 TLSv1.3'
+    state: present
+
  - name: smtpd_tls_received_header
    value: 'yes'
    state: present
@ -370,7 +378,8 @@ postfix_config:
    state: present

  - name: tls_high_cipherlist
-    value: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
+    value: |-
+      'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
    state: present

  - name: tls_ssl_options