From b066a5e2ac4777935d4a072e81ee48f4b115ee83 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sun, 1 Aug 2021 11:09:44 +0200 Subject: [PATCH] add a default tls_policy_map --- core/postfix/conf/main.cf | 4 +++- core/postfix/start.py | 5 +++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf index d8b42223..e102f51a 100644 --- a/core/postfix/conf/main.cf +++ b/core/postfix/conf/main.cf @@ -55,10 +55,12 @@ tls_ssl_options = NO_COMPRESSION, NO_TICKET # By default, outgoing TLS is more flexible because # 1. not all receiving servers will support TLS, # 2. not all will have and up-to-date TLS stack. -smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }} smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols =!SSLv2,!SSLv3 smtp_tls_session_cache_database = lmdb:${data_directory}/smtp_scache +smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }} +smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map +smtp_tls_CApath = /etc/ssl/certs ############### # Virtual diff --git a/core/postfix/start.py b/core/postfix/start.py index e0c781b7..f54ec911 100755 --- a/core/postfix/start.py +++ b/core/postfix/start.py @@ -66,6 +66,11 @@ for map_file in glob.glob("/overrides/*.map"): os.system("postmap {}".format(destination)) os.remove(destination) +if not os.path.exists("/etc/postfix/tls_policy.map.db"): + with open("/etc/postfix/tls_policy.map", "w") as f: + f.write("gmail.com\tsecure\n") + os.system("postmap /etc/postfix/tls_policy.map") + if "RELAYUSER" in os.environ: path = "/etc/postfix/sasl_passwd" conf.jinja("/conf/sasl_passwd", os.environ, path)