From bfdc07de980df2076a8d9a2dac0044c83e65d491 Mon Sep 17 00:00:00 2001
From: windgmbh <49904312+windgmbh@users.noreply.github.com>
Date: Fri, 28 May 2021 09:34:03 +0200
Subject: [PATCH] mail/postfix: Add TLS compatibility modes (#2255)
---
mail/postfix/Makefile | 2 +-
mail/postfix/pkg-descr | 4 ++
.../OPNsense/Postfix/forms/general.xml | 14 +++--
.../app/models/OPNsense/Postfix/General.xml | 24 +++++---
.../templates/OPNsense/Postfix/main.cf | 55 ++++++++++++++++---
5 files changed, 78 insertions(+), 21 deletions(-)
diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index 54ec13463..cbf333904 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -1,5 +1,5 @@
PLUGIN_NAME= postfix
-PLUGIN_VERSION= 1.18
+PLUGIN_VERSION= 1.19
PLUGIN_COMMENT= SMTP mail relay
PLUGIN_DEPENDS= postfix-sasl
PLUGIN_MAINTAINER= m.muenz@gmail.com
diff --git a/mail/postfix/pkg-descr b/mail/postfix/pkg-descr
index f873fb825..ad3563c43 100644
--- a/mail/postfix/pkg-descr
+++ b/mail/postfix/pkg-descr
@@ -6,6 +6,10 @@ is completely different.
Plugin Changelog
================
+1.19
+
+* Add TLS server/ client compatibility modes based on Mozilla's TLS configuration recommendations (https://ssl-config.mozilla.org).
+
1.18
* Add 'milter_default_action' choice
diff --git a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
index 7b21cc130..dda5f8f2b 100644
--- a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
+++ b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
@@ -90,10 +90,16 @@
Disable SSLv2 and SSLv3, only TLS allowed.
- general.disable_weak_ciphers
-
- checkbox
- This will disable known weak ciphers like DES, RC4 or MD5.
+ general.tls_server_compatibility
+
+ dropdown
+ TLS version/ cipher compatibility of the SMTP service
+
+
+ general.tls_client_compatibility
+
+ dropdown
+ TLS version/ cipher compatibility of the SMTP Client
general.tlswrappermode
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
index f829a07af..4f0e11d8c 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
@@ -1,7 +1,7 @@
//OPNsense/postfix/general
Postfix configuration
- 1.2.5
+ 1.2.6
0
@@ -61,14 +61,24 @@
/^([0-9a-z\.\-\_]{1,128})(,[0-9a-z\.\-\_]{1,128})*$/ui
Only up to 128 of the following characters are allowed: 0-9a-zA-Z.-_
-
- 1
+
+ intermediate
Y
-
-
- 1
+
+ Modern
+ Intermediate
+ Old
+
+
+
+ intermediate
Y
-
+
+ Modern
+ Intermediate
+ Old
+
+
0
Y
diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
index 8df295bb9..630121958 100644
--- a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
@@ -83,29 +83,66 @@ message_size_limit = {{ OPNsense.postfix.general.message_size_limit }}
{% if helpers.exists('OPNsense.postfix.general.masquerade_domains') and OPNsense.postfix.general.masquerade_domains != '' %}
masquerade_domains = {{ OPNsense.postfix.general.masquerade_domains }}
{% endif %}
-{% if helpers.exists('OPNsense.postfix.general.disable_ssl') and OPNsense.postfix.general.disable_ssl == '1' %}
-smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
-smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
-smtpd_tls_protocols=!SSLv2,!SSLv3
-smtp_tls_protocols=!SSLv2,!SSLv3
-{% endif %}
-{% if helpers.exists('OPNsense.postfix.general.disable_weak_ciphers') and OPNsense.postfix.general.disable_weak_ciphers == '1' %}
-smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
-{% endif %}
{% if helpers.exists('OPNsense.postfix.general.tlswrappermode') and OPNsense.postfix.general.tlswrappermode == '1' %}
smtp_tls_wrappermode = yes
{% endif %}
+
{% if helpers.exists('OPNsense.postfix.general.smtpclient_security') and OPNsense.postfix.general.smtpclient_security != '' %}
smtp_tls_security_level = {{ OPNsense.postfix.general.smtpclient_security }}
+smtp_tls_loglevel = 1
+{% endif %}
+{% if helpers.exists('OPNsense.postfix.general.tls_client_compatibility') %}
+{% if OPNsense.postfix.general.tls_client_compatibility == 'modern' %}
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2
+{% elif OPNsense.postfix.general.tls_client_compatibility == 'intermediate' %}
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtp_tls_mandatory_ciphers = medium
+{% elif OPNsense.postfix.general.tls_client_compatibility == 'old' %}
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtp_tls_mandatory_ciphers = low
+{% endif %}
+smtp_tls_protocols = $smtp_tls_mandatory_protocols
+{% if OPNsense.postfix.general.tls_client_compatibility != 'modern' %}
+smtp_tls_ciphers = $smtp_tls_mandatory_ciphers
+{% endif %}
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.certificate') and OPNsense.postfix.general.certificate != '' %}
smtpd_use_tls = yes
+smtpd_tls_auth_only = yes
+smtpd_tls_loglevel = 1
+smtpd_tls_received_header = yes
smtpd_tls_cert_file = /usr/local/etc/postfix/cert_opn.pem
{% endif %}
{% if helpers.exists('OPNsense.postfix.general.ca') and OPNsense.postfix.general.ca != '' %}
smtpd_tls_CAfile = /usr/local/etc/postfix/ca_opn.pem
{% endif %}
+{% if helpers.exists('OPNsense.postfix.general.tls_server_compatibility') %}
+{% if OPNsense.postfix.general.tls_server_compatibility == 'modern' %}
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2
+{% elif OPNsense.postfix.general.tls_server_compatibility == 'intermediate' %}
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_dh1024_param_file = /usr/local/etc/dh-parameters.2048
+smtpd_tls_mandatory_ciphers = medium
+{% elif OPNsense.postfix.general.tls_server_compatibility == 'old' %}
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtpd_tls_dh1024_param_file = /usr/local/etc/dh-parameters.2048
+smtpd_tls_mandatory_ciphers = low
+{% endif %}
+smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
+{% if OPNsense.postfix.general.tls_server_compatibility != 'modern' %}
+smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers
+{% endif %}
+{% if helpers.exists('OPNsense.postfix.general.tls_client_compatibility') or helpers.exists('OPNsense.postfix.general.tls_server_compatibility') %}
+tls_low_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
+tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+{% if OPNsense.postfix.general.tls_server_compatibility == 'old' %}
+tls_preempt_cipherlist = yes
+{% else %}
+tls_preempt_cipherlist = no
+{% endif %}
+{% endif%}
+{% endif %}
{% if helpers.exists('OPNsense.postfix.general.relayhost') and OPNsense.postfix.general.relayhost != '' %}
relayhost = {{ OPNsense.postfix.general.relayhost }}
{% endif %}