Allow disabling older SSL/TLS protocols
Bug #1950116 reported by
Haw Loeung
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
SMTP Relay Charm |
Fix Released
|
High
|
Haw Loeung |
Bug Description
Hi,
Noticed tlsmon picking up that services deployed using the SMTP relay charm have TLS1.0 and TLS1.1 still enabled. We should allow the ability to disable this with a charm option with a big fat warning to override it.
| smtpd_tls_protocols = !SSLv2 !SSLv3
Related branches
~hloeung/smtp-relay-charm:tls
- Joel Sing (community): Approve (+1)
- Loïc Gomez: Approve
- Colin Misare: Approve
-
Diff: 504 lines (+193/-7)25 files modifiedconfig.yaml (+54/-1)
reactive/smtp_relay.py (+8/-0)
templates/postfix_main_cf.tmpl (+16/-4)
templates/postfix_master_cf.tmpl (+1/-1)
tests/unit/files/postfix_main.cf (+2/-0)
tests/unit/files/postfix_main_auth_disabled.cf (+2/-0)
tests/unit/files/postfix_main_domain.cf (+2/-0)
tests/unit/files/postfix_main_header_checks.cf (+2/-0)
tests/unit/files/postfix_main_rate_limits.cf (+2/-0)
tests/unit/files/postfix_main_rate_limits_auth_disabled.cf (+2/-0)
tests/unit/files/postfix_main_reject_unknown_recipient_domain.cf (+2/-0)
tests/unit/files/postfix_main_relay_access_sources.cf (+2/-0)
tests/unit/files/postfix_main_relay_access_sources_auth_disabled.cf (+2/-0)
tests/unit/files/postfix_main_restrict_both_senders_and_recipients.cf (+2/-0)
tests/unit/files/postfix_main_restrict_recipients.cf (+2/-0)
tests/unit/files/postfix_main_restrict_sender_access.cf (+2/-0)
tests/unit/files/postfix_main_restrict_senders.cf (+2/-0)
tests/unit/files/postfix_main_restrict_senders_with_reject_unknown_recipient_domain.cf (+2/-0)
tests/unit/files/postfix_main_tls_cert_key.cf (+2/-0)
tests/unit/files/postfix_main_tls_no_ciphers_and_protocols.cf (+51/-0)
tests/unit/files/postfix_main_tls_policy.cf (+2/-0)
tests/unit/files/postfix_main_with_milter.cf (+2/-0)
tests/unit/files/postfix_main_with_milter_auth_disabled.cf (+2/-0)
tests/unit/files/postfix_master.cf (+1/-1)
tests/unit/test_smtp_relay.py (+26/-0)
Changed in smtp-relay-charm: | |
assignee: | nobody → Haw Loeung (hloeung) |
importance: | Undecided → High |
status: | New → In Progress |
Changed in smtp-relay-charm: | |
status: | In Progress → Fix Committed |
Changed in smtp-relay-charm: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Sadly, Focal ships with Postfix 3.4 so doesn't support ">=TLSv1.2". Instead, the default will be "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1".