Merge pull request #696 from rds13/featurePostfixRemoveTLSv1Support

[enh] Propose a setting to remove support for TLSv1 and TLSv1.1 in Postfix
2024-09-03 20:06:10 +02:00 · 2019-05-14 19:19:25 +02:00 · 2019-05-14 19:19:25 +02:00 · 93d0fbc4cf
commit 93d0fbc4cf
parent 218f4ce84e 15ac51098d
4 changed files with 76 additions and 59 deletions
--- a/data/hooks/conf_regen/19-postfix
+++ b/data/hooks/conf_regen/19-postfix
@ -2,6 +2,8 @@

 set -e

+. /usr/share/yunohost/helpers
+
 do_pre_regen() {
  pending_dir=$1

@ -20,9 +22,12 @@ do_pre_regen() {
  main_domain=$(cat /etc/yunohost/current_host)
  domain_list=$(sudo yunohost domain list --output-as plain --quiet | tr '\n' ' ')

-  cat main.cf \
-    | sed "s/{{ main_domain }}/${main_domain}/g" \
-    > "${postfix_dir}/main.cf"
+  # Support different strategy for security configurations
+  export compatibility="$(yunohost settings get 'security.postfix.compatibility')"
+
+  export main_domain
+  export domain_list
+  ynh_render_template "main.cf" "${postfix_dir}/main.cf"

  cat postsrsd \
    | sed "s/{{ main_domain }}/${main_domain}/g" \
--- a/data/templates/postfix/main.cf
+++ b/data/templates/postfix/main.cf
@ -33,7 +33,11 @@ smtpd_tls_key_file = /etc/yunohost/certs/{{ main_domain }}/key.pem
 smtpd_tls_exclude_ciphers = aNULL, MD5, DES, ADH, RC4, 3DES
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtpd_tls_loglevel=1
+{% if compatibility == "intermediate" %}
 smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
+{% else %}
+smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
+{% endif %}
 smtpd_tls_mandatory_ciphers=high
 smtpd_tls_eecdh_grade = ultra

--- a/locales/en.json
+++ b/locales/en.json
@ -217,6 +217,7 @@
    "global_settings_setting_security_password_admin_strength": "Admin password strength",
    "global_settings_setting_security_password_user_strength": "User password strength",
    "global_settings_setting_security_ssh_compatibility": "Compatibility vs. security tradeoff for the SSH server. Affects the ciphers (and other security-related aspects)",
+    "global_settings_setting_security_postfix_compatibility": "Compatibility vs. security tradeoff for the Postfix server. Affects the ciphers (and other security-related aspects)",
    "global_settings_unknown_setting_from_settings_file": "Unknown key in settings: '{setting_key:s}', discarding it and save it in /etc/yunohost/settings-unknown.json",
    "global_settings_setting_service_ssh_allow_deprecated_dsa_hostkey": "Allow the use of (deprecated) DSA hostkey for the SSH daemon configuration",
    "global_settings_unknown_type": "Unexpected situation, the setting {setting:s} appears to have the type {unknown_type:s} but it's not a type supported by the system.",
--- a/src/yunohost/settings.py
+++ b/src/yunohost/settings.py
@ -44,6 +44,8 @@ DEFAULTS = OrderedDict([
        "choices": ["intermediate", "modern"]}),
    ("security.nginx.compatibility", {"type": "enum", "default": "intermediate",
        "choices": ["intermediate", "modern"]}),
+    ("security.postfix.compatibility", {"type": "enum", "default": "intermediate",
+        "choices": ["intermediate", "modern"]}),
 ])


@ -292,3 +294,8 @@ def reconfigure_nginx(setting_name, old_value, new_value):
 def reconfigure_ssh(setting_name, old_value, new_value):
    if old_value != new_value:
        service_regen_conf(names=['ssh'])
+
+@post_change_hook("security.postfix.compatibility")
+def reconfigure_ssh(setting_name, old_value, new_value):
+    if old_value != new_value:
+        service_regen_conf(names=['postfix'])