Browse Source

Improve postfix ssl/tls configiration

Emmanuel Bouthenot 11 years ago
parent
commit
19c7fd1b82
1 changed files with 15 additions and 8 deletions
  1. 15 8
      roles/common/templates/postfix/main.cf.j2

+ 15 - 8
roles/common/templates/postfix/main.cf.j2

@@ -21,14 +21,23 @@ append_dot_mydomain = no
 readme_directory = no
 
 # TLS parameters
-smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
-smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
-smtpd_use_tls=yes
+smtpd_use_tls = yes
+smtpd_tls_loglevel = 1
+smtpd_tls_received_header = yes
+smtpd_tls_ask_ccert = yes
+smtpd_tls_req_ccert = no
+smtpd_tls_session_cache_timeout = 3600
+smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
-smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
-# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
-# information on enabling SSL in the smtp client.
+smtp_use_tls = yes
+smtp_tls_loglevel = 1
+smtp_tls_note_starttls_offer = yes
+smtp_tls_session_cache_timeout = 3600
+smtp_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+smtp_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
 myhostname = {{ ansible_fqdn }}
 myorigin = $myhostname
@@ -77,5 +86,3 @@ smtpd_sender_restrictions =
     permit_mynetworks,
     reject_non_fqdn_sender,
     reject_unknown_sender_domain
-
-