From ecadf46ac620d2585e96d316910f607162905834 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Mon, 9 Aug 2021 17:39:15 +0200 Subject: [PATCH] fix PFS --- core/postfix/conf/main.cf | 5 +++-- core/postfix/start.py | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf index 9b3e30ff..dfa31514 100644 --- a/core/postfix/conf/main.cf +++ b/core/postfix/conf/main.cf @@ -50,7 +50,7 @@ smtpd_authorized_xclient_hosts={{ POD_ADDRESS_RANGE or SUBNET }} # General TLS configuration tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA tls_preempt_cipherlist = yes -tls_ssl_options = NO_COMPRESSION +tls_ssl_options = NO_COMPRESSION, NO_TICKET # By default, outgoing TLS is more flexible because # 1. not all receiving servers will support TLS, @@ -58,7 +58,8 @@ tls_ssl_options = NO_COMPRESSION smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }} smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols =!SSLv2,!SSLv3 -smtp_tls_session_cache_database = lmdb:${data_directory}/smtp_scache +smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache +smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache ############### # Virtual diff --git a/core/postfix/start.py b/core/postfix/start.py index e0c781b7..df290a3a 100755 --- a/core/postfix/start.py +++ b/core/postfix/start.py @@ -15,6 +15,7 @@ log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "WARNING")) def start_podop(): os.setuid(getpwnam('postfix').pw_uid) + os.mkdir('/dev/shm/postfix',mode=0o700) url = "http://" + os.environ["ADMIN_ADDRESS"] + "/internal/postfix/" # TODO: Remove verbosity setting from Podop? run_server(0, "postfix", "/tmp/podop.socket", [