postfix: update security parameters for mail sending

author: Joe Banks <[email protected]> 2024-07-31 13:19:19 +0100
committer: Joe Banks <[email protected]> 2024-07-31 13:25:56 +0100
commit: 1a06c321f6b4b24fdff7b59f9c982a8080f40757 (patch)
tree: 153987f1367d94a8cb02445a1adabc6f522f9497 /ansible
parent: dkim: increase logging verbosity (diff)
1 files changed, 9 insertions, 3 deletions
diff --git a/ansible/roles/postfix/templates/main.cf.j2 b/ansible/roles/postfix/templates/main.cf.j2
index b145556..05c78da 100644
--- a/ansible/roles/postfix/templates/main.cf.j2
+++ b/ansible/roles/postfix/templates/main.cf.j2
@@ -14,10 +14,16 @@ compatibility_level = 3.6
 
 smtpd_tls_cert_file=/etc/letsencrypt/live/pydis.wtf/fullchain.pem
 smtpd_tls_key_file=/etc/letsencrypt/live/pydis.wtf/privkey.pem
-smtpd_tls_security_level=may
-smtpd_tls_auth_only=yes
 
-smtp_tls_security_level = encrypt
+# Configure TLS in high security mode, via https://mecsa.jrc.ec.europa.eu/en/postfix:
+# - mails must be sent via TLS, optionally with DANE, and STARTTLS offer logged
+# - mails must be received via TLS
+# - authentication must be performed via TLS
+smtp_tls_security_level = dane
+smtp_dns_support_level = dnssec
+smtp_tls_note_starttls_offer = yes
+smtpd_tls_security_level = encrypt
+smtpd_tls_auth_only = yes
 
 smtpd_relay_restrictions =
                          permit_mynetworks,
author	Joe Banks <[email protected]>	2024-07-31 13:19:19 +0100
committer	Joe Banks <[email protected]>	2024-07-31 13:25:56 +0100
commit	1a06c321f6b4b24fdff7b59f9c982a8080f40757 (patch)
tree	153987f1367d94a8cb02445a1adabc6f522f9497 /ansible
parent	dkim: increase logging verbosity (diff)