* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-13.sme

- use esmith::ssl to set ciphers and protocol [SME: 12822] improve cipher order to get strongers first
2025-01-18 16:14:46 -05:00
parent 4ba4af692a
commit 877a1070f0
8 changed files with 20 additions and 31 deletions
--- a/root/etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers
+++ b/root/etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers
@@ -1,5 +1,5 @@
 {
-    # When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated.
-    return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
+    use esmith::ssl;
+    return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || $smeCiphers;
 }

--- a/root/etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols
+++ b/root/etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols
@@ -1,9 +1,4 @@
 {
-$OUT .= 'SSLv23';
-$OUT .= ':!SSLv2' unless ($qpsmtpd{SSLv2} || 'disabled') eq 'enabled';
-$OUT .= ':!SSLv3' unless ($qpsmtpd{SSLv3} || 'disabled') eq 'enabled';
-$OUT .= ':!TLSv1' unless ($qpsmtpd{TLSv1} || 'enabled') eq 'enabled';
-$OUT .= ':!TLSv1_1' unless ($qpsmtpd{TLSv1.1} || 'enabled') eq 'enabled';
-$OUT .= ':!TLSv1_2' unless ($qpsmtpd{TLSv1.2} || 'enabled') eq 'enabled';
-$OUT .= ':!TLSv1_3' unless ($qpsmtpd{TLSv1.3} || 'enabled') eq 'enabled';
+use esmith::ssl;
+return SSLprotoQpsmtpd("qpsmtpd");
 }
--- a/root/etc/e-smith/templates/var/service/sqpsmtpd/config/tls_ciphers/10ciphers
+++ b/root/etc/e-smith/templates/var/service/sqpsmtpd/config/tls_ciphers/10ciphers
@@ -1,5 +1,5 @@
 {
-    # When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated.
-    return $sqpsmtpd{tlsCipher} || $uqpsmtpd{tlsCipher} ||$modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
+    use esmith::ssl;
+    return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || $smeCiphers;
 }

--- a/root/etc/e-smith/templates/var/service/sqpsmtpd/config/tls_protocols/10protocols
+++ b/root/etc/e-smith/templates/var/service/sqpsmtpd/config/tls_protocols/10protocols
@@ -1,9 +1,4 @@
 {
-$OUT .= 'SSLv23';
-$OUT .= ':!SSLv2' unless ($sqpsmtpd{SSLv2} || 'disabled') eq 'enabled';
-$OUT .= ':!SSLv3' unless ($sqpsmtpd{SSLv3} || 'disabled') eq 'enabled';
-$OUT .= ':!TLSv1' unless ($sqpsmtpd{TLSv1} || 'disabled') eq 'enabled';
-$OUT .= ':!TLSv1_1' unless ($sqpsmtpd{TLSv1.1} || 'disabled') eq 'enabled';
-$OUT .= ':!TLSv1_2' unless ($sqpsmtpd{TLSv1.2} || 'enabled') eq 'enabled';
-$OUT .= ':!TLSv1_3' unless ($sqpsmtpd{TLSv1.3} || 'enabled') eq 'enabled';
+use esmith::ssl;
+return SSLprotoQpsmtpd("sqpsmtpd");
 }
--- a/root/etc/e-smith/templates/var/service/uqpsmtpd/config/tls_ciphers/10ciphers
+++ b/root/etc/e-smith/templates/var/service/uqpsmtpd/config/tls_ciphers/10ciphers
@@ -1,5 +1,5 @@
 {
-    # When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated.
-    return $uqpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
+    use esmith::ssl;
+    return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || $smeCiphers;
 }

--- a/root/etc/e-smith/templates/var/service/uqpsmtpd/config/tls_protocols/10protocols
+++ b/root/etc/e-smith/templates/var/service/uqpsmtpd/config/tls_protocols/10protocols
@@ -1,9 +1,4 @@
 {
-$OUT .= 'SSLv23';
-$OUT .= ':!SSLv2' unless ($uqpsmtpd{SSLv2} || 'disabled') eq 'enabled';
-$OUT .= ':!SSLv3' unless ($uqpsmtpd{SSLv3} || 'disabled') eq 'enabled';
-$OUT .= ':!TLSv1' unless ($uqpsmtpd{TLSv1} || 'disabled') eq 'enabled';
-$OUT .= ':!TLSv1_1' unless ($uqpsmtpd{TLSv1.1} || 'disabled') eq 'enabled';
-$OUT .= ':!TLSv1_2' unless ($uqpsmtpd{TLSv1.2} || 'enabled') eq 'enabled';
-$OUT .= ':!TLSv1_3' unless ($uqpsmtpd{TLSv1.3} || 'enabled') eq 'enabled';
+use esmith::ssl;
+return SSLprotoQpsmtpd("uqpsmtpd");
 }
--- a/root/sbin/e-smith/systemd/qpsmtpd-init
+++ b/root/sbin/e-smith/systemd/qpsmtpd-init
@@ -31,11 +31,11 @@ export QPSMTPD_CONFIG=/var/service/$ServiceName/config
    rm -f /var/service/qpsmtpd/config/badrcptto_patterns

 # Create dhparam
-[ -e /var/service/qpsmtpd/ssl/dhparam.pem ] || \
+[ -s /var/service/qpsmtpd/ssl/dhparam.pem ] || \
    RANDFILE=/dev/null /usr/bin/openssl dhparam -out /var/service/qpsmtpd/ssl/dhparam.pem 2048

 # Create a default dkim key pair
-[ -e /home/e-smith/dkim_keys/default/private ] || (\
+[ -s /home/e-smith/dkim_keys/default/private ] || (\
    RANDFILE=/dev/null /usr/bin/openssl genrsa -out /home/e-smith/dkim_keys/default/private 2048
    /usr/bin/openssl rsa -in /home/e-smith/dkim_keys/default/private \
        -out /home/e-smith/dkim_keys/default/public -pubout