From 9f0c99476630c0a1acf9c5c370ca32b898ed2ee9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <joerg.sachse@slub-dresden.de>
Date: Thu, 16 Jan 2025 09:56:58 +0100
Subject: [PATCH] sec: add security-related Postfix options

---
 tasks/mail/configure_postfix.yml | 7 +++++++
 tasks/main.yml                   | 1 +
 2 files changed, 8 insertions(+)

diff --git a/tasks/mail/configure_postfix.yml b/tasks/mail/configure_postfix.yml
index f727be2..cd1b114 100644
--- a/tasks/mail/configure_postfix.yml
+++ b/tasks/mail/configure_postfix.yml
@@ -16,4 +16,11 @@
       smtpd_recipient_restrictions =
       # smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination    # DEFAULT according to `man 5 postconf`
       smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
+
+      relayhost = [{{ mail_server }}]                                                       # mail server
+      disable_vrfy_command = yes                                                            # security: disable VRFY replies
+      smtpd_tls_mandatory_protocols = TLSv1.3, !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2   # security: only TLS 1.3
+      smtpd_tls_protocols = TLSv1.3, !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2             # security: only TLS 1.3
+      smtp_tls_mandatory_protocols = TLSv1.3, !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2    # security: only TLS 1.3
+      smtp_tls_protocols = TLSv1.3, !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2              # security: only TLS 1.3
   notify: restart postfix
diff --git a/tasks/main.yml b/tasks/main.yml
index 970025c..03069c0 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -6,6 +6,7 @@
     - "cron_apt.vault"
     - "exim.vault"
     - "groups.vault"
+    - "mail.vault"
     - "repos.vault"
     - "sudo.vault"
     - "syslog.vault"
-- 
GitLab