# DH parameters
postfix::config { "smtpd_tls_eecdh_grade": value => 'strong' }
+ #postfix::config { "smtpd_tls_dh1024_param_file":
+ # value => '/etc/ssl/dhparams/dhparams_1024.pem',
+ # require => Exec['openssl-postfix-gendh-1024'],
+ #}
+
+ # See https://leap.se/code/issues/4012
+ # https://drownattack.com/postfix.html
postfix::config { "smtpd_tls_dh1024_param_file":
- value => '/etc/postfix/dh_1024.pem',
- require => Exec['openssl-postfix-gendh-1024'],
+ value => '/etc/ssl/dhparams/dhparams_2048.pem',
+ require => Exec['openssl-postfix-gendh-2048'],
+ }
+
+ # Old file locations
+ file { [ '/etc/postfix/dh_512.pem', '/etc/postfix/dh_1024.pem' ]:
+ ensure => absent,
}
postfix::config { "smtpd_tls_dh512_param_file":
- value => '/etc/postfix/dh_512.pem',
+ value => '/etc/ssl/dhparams/dhparams_512.pem',
require => Exec['openssl-postfix-gendh-512'],
}
- exec { 'openssl-postfix-gendh-512':
- command => 'openssl gendh -out /etc/postfix/dh_512.pem -2 512',
- user => root,
- group => root,
- creates => '/etc/postfix/dh_512.pem',
+ ssl::dhparams { 'openssl-postfix-gendh-512':
+ prefix => 'dh',
+ size => '512',
+ folder => '/etc/postfix',
+ }
+
+ ssl::dhparams { 'openssl-postfix-gendh-1024':
+ prefix => 'dh',
+ size => '1024',
+ folder => '/etc/postfix',
}
- exec { 'openssl-postfix-gendh-1024':
- command => 'openssl gendh -out /etc/postfix/dh_1024.pem -2 1024',
- user => root,
- group => root,
- creates => '/etc/postfix/dh_1024.pem',
+ ssl::dhparams { 'openssl-postfix-gendh-2048':
+ prefix => 'dh',
+ size => '2048',
+ folder => '/etc/postfix',
}
postfix::config { "smtpd_tls_exclude_ciphers":
projects / puppet-mail.git / commitdiff