SMTP Relay Charm

Allow disabling older SSL/TLS protocols

Bug #1950116 reported by Haw Loeung
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
SMTP Relay Charm
Fix Released
High
Haw Loeung

Bug Description

Hi,

Noticed tlsmon picking up that services deployed using the SMTP relay charm have TLS1.0 and TLS1.1 still enabled. We should allow the ability to disable this with a charm option with a big fat warning to override it.

| smtpd_tls_protocols = !SSLv2 !SSLv3

See original description

Related branches

~hloeung/smtp-relay-charm:tls
Joel Sing (community): Approve (+1)
Loïc Gomez: Approve
Colin Misare: Approve
Diff: 504 lines (+193/-7)
25 files modified
config.yaml (+54/-1)
reactive/smtp_relay.py (+8/-0)
templates/postfix_main_cf.tmpl (+16/-4)
templates/postfix_master_cf.tmpl (+1/-1)
tests/unit/files/postfix_main.cf (+2/-0)
tests/unit/files/postfix_main_auth_disabled.cf (+2/-0)
tests/unit/files/postfix_main_domain.cf (+2/-0)
tests/unit/files/postfix_main_header_checks.cf (+2/-0)
tests/unit/files/postfix_main_rate_limits.cf (+2/-0)
tests/unit/files/postfix_main_rate_limits_auth_disabled.cf (+2/-0)
tests/unit/files/postfix_main_reject_unknown_recipient_domain.cf (+2/-0)
tests/unit/files/postfix_main_relay_access_sources.cf (+2/-0)
tests/unit/files/postfix_main_relay_access_sources_auth_disabled.cf (+2/-0)
tests/unit/files/postfix_main_restrict_both_senders_and_recipients.cf (+2/-0)
tests/unit/files/postfix_main_restrict_recipients.cf (+2/-0)
tests/unit/files/postfix_main_restrict_sender_access.cf (+2/-0)
tests/unit/files/postfix_main_restrict_senders.cf (+2/-0)
tests/unit/files/postfix_main_restrict_senders_with_reject_unknown_recipient_domain.cf (+2/-0)
tests/unit/files/postfix_main_tls_cert_key.cf (+2/-0)
tests/unit/files/postfix_main_tls_no_ciphers_and_protocols.cf (+51/-0)
tests/unit/files/postfix_main_tls_policy.cf (+2/-0)
tests/unit/files/postfix_main_with_milter.cf (+2/-0)
tests/unit/files/postfix_main_with_milter_auth_disabled.cf (+2/-0)
tests/unit/files/postfix_master.cf (+1/-1)
tests/unit/test_smtp_relay.py (+26/-0)
Haw Loeung (hloeung)
Changed in smtp-relay-charm:
assignee: nobody → Haw Loeung (hloeung)
importance: Undecided → High
status: New → In Progress
Revision history for this message
Haw Loeung (hloeung) wrote :

Sadly, Focal ships with Postfix 3.4 so doesn't support ">=TLSv1.2". Instead, the default will be "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1".

Revision history for this message
Haw Loeung (hloeung) wrote :

Per comments to MP, we want to keep TLSv1 and TLSv1.1 support by default to ensure better interoperability with other MTAs. Also keep or reduce deliverability problems to domains running older MTAs.

summary: - Disable older SSL/TLS protocols
+ Allow disabling older SSL/TLS protocols
description: updated
Haw Loeung (hloeung)
Changed in smtp-relay-charm:
status: In Progress → Fix Committed
Haw Loeung (hloeung)
Changed in smtp-relay-charm:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.