sec: add security-related Postfix options

9f0c9947 · Jörg Sachse · ad9a6814 · 9f0c9947 · 9f0c9947
Commit 9f0c9947 authored 5 months ago by Jörg Sachse
--- a/tasks/mail/configure_postfix.yml
+++ b/tasks/mail/configure_postfix.yml
@@ -16,4 +16,11 @@
      smtpd_recipient_restrictions =
      # smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination    # DEFAULT according to `man 5 postconf`
      smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
+      relayhost = [{{ mail_server }}]                                                       # mail server
+      disable_vrfy_command = yes                                                            # security: disable VRFY replies
+      smtpd_tls_mandatory_protocols = TLSv1.3, !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2   # security: only TLS 1.3
+      smtpd_tls_protocols = TLSv1.3, !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2             # security: only TLS 1.3
+      smtp_tls_mandatory_protocols = TLSv1.3, !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2    # security: only TLS 1.3
+      smtp_tls_protocols = TLSv1.3, !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2              # security: only TLS 1.3
  notify: restart postfix
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -6,6 +6,7 @@
    - "cron_apt.vault"
    - "exim.vault"
    - "groups.vault"
+    - "mail.vault"
    - "repos.vault"
    - "sudo.vault"
    - "syslog.vault"