smeserver/smeserver-qpsmtpd
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-13.sme

Browse Source 
- use esmith::ssl to set ciphers and protocol [SME: 12822]
  improve cipher order to get strongers first
This commit is contained in:
Jean-Philippe Pialasse 2025-01-18 16:14:46 -05:00
parent 4ba4af692a
commit 877a1070f0
8 changed files with 20 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
root/etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers
View File

@ -1,5 +1,5 @@
{ {
# When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated. use esmith::ssl;
return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'; return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || $smeCiphers;
} }

9
root/etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols
View File

@ -1,9 +1,4 @@
{ {
$OUT .= 'SSLv23'; use esmith::ssl;
$OUT .= ':!SSLv2' unless ($qpsmtpd{SSLv2} || 'disabled') eq 'enabled'; return SSLprotoQpsmtpd("qpsmtpd");
$OUT .= ':!SSLv3' unless ($qpsmtpd{SSLv3} || 'disabled') eq 'enabled';
$OUT .= ':!TLSv1' unless ($qpsmtpd{TLSv1} || 'enabled') eq 'enabled';
$OUT .= ':!TLSv1_1' unless ($qpsmtpd{TLSv1.1} || 'enabled') eq 'enabled';
$OUT .= ':!TLSv1_2' unless ($qpsmtpd{TLSv1.2} || 'enabled') eq 'enabled';
$OUT .= ':!TLSv1_3' unless ($qpsmtpd{TLSv1.3} || 'enabled') eq 'enabled';
} }

4
root/etc/e-smith/templates/var/service/sqpsmtpd/config/tls_ciphers/10ciphers
View File

@ -1,5 +1,5 @@
{ {
# When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated. use esmith::ssl;
return $sqpsmtpd{tlsCipher} || $uqpsmtpd{tlsCipher} ||$modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'; return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || $smeCiphers;
} }

9
root/etc/e-smith/templates/var/service/sqpsmtpd/config/tls_protocols/10protocols
View File

@ -1,9 +1,4 @@
{ {
$OUT .= 'SSLv23'; use esmith::ssl;
$OUT .= ':!SSLv2' unless ($sqpsmtpd{SSLv2} || 'disabled') eq 'enabled'; return SSLprotoQpsmtpd("sqpsmtpd");
$OUT .= ':!SSLv3' unless ($sqpsmtpd{SSLv3} || 'disabled') eq 'enabled';
$OUT .= ':!TLSv1' unless ($sqpsmtpd{TLSv1} || 'disabled') eq 'enabled';
$OUT .= ':!TLSv1_1' unless ($sqpsmtpd{TLSv1.1} || 'disabled') eq 'enabled';
$OUT .= ':!TLSv1_2' unless ($sqpsmtpd{TLSv1.2} || 'enabled') eq 'enabled';
$OUT .= ':!TLSv1_3' unless ($sqpsmtpd{TLSv1.3} || 'enabled') eq 'enabled';
} }

4
root/etc/e-smith/templates/var/service/uqpsmtpd/config/tls_ciphers/10ciphers
View File

@ -1,5 +1,5 @@
{ {
# When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated. use esmith::ssl;
return $uqpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'; return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || $smeCiphers;
} }

9
root/etc/e-smith/templates/var/service/uqpsmtpd/config/tls_protocols/10protocols
View File

@ -1,9 +1,4 @@
{ {
$OUT .= 'SSLv23'; use esmith::ssl;
$OUT .= ':!SSLv2' unless ($uqpsmtpd{SSLv2} || 'disabled') eq 'enabled'; return SSLprotoQpsmtpd("uqpsmtpd");
$OUT .= ':!SSLv3' unless ($uqpsmtpd{SSLv3} || 'disabled') eq 'enabled';
$OUT .= ':!TLSv1' unless ($uqpsmtpd{TLSv1} || 'disabled') eq 'enabled';
$OUT .= ':!TLSv1_1' unless ($uqpsmtpd{TLSv1.1} || 'disabled') eq 'enabled';
$OUT .= ':!TLSv1_2' unless ($uqpsmtpd{TLSv1.2} || 'enabled') eq 'enabled';
$OUT .= ':!TLSv1_3' unless ($uqpsmtpd{TLSv1.3} || 'enabled') eq 'enabled';
} }

4
root/sbin/e-smith/systemd/qpsmtpd-init
View File

@ -31,11 +31,11 @@ export QPSMTPD_CONFIG=/var/service/$ServiceName/config
rm -f /var/service/qpsmtpd/config/badrcptto_patterns rm -f /var/service/qpsmtpd/config/badrcptto_patterns
# Create dhparam # Create dhparam
[ -e /var/service/qpsmtpd/ssl/dhparam.pem ] || \ [ -s /var/service/qpsmtpd/ssl/dhparam.pem ] || \
RANDFILE=/dev/null /usr/bin/openssl dhparam -out /var/service/qpsmtpd/ssl/dhparam.pem 2048 RANDFILE=/dev/null /usr/bin/openssl dhparam -out /var/service/qpsmtpd/ssl/dhparam.pem 2048
# Create a default dkim key pair # Create a default dkim key pair
[ -e /home/e-smith/dkim_keys/default/private ] || (\ [ -s /home/e-smith/dkim_keys/default/private ] || (\
RANDFILE=/dev/null /usr/bin/openssl genrsa -out /home/e-smith/dkim_keys/default/private 2048 RANDFILE=/dev/null /usr/bin/openssl genrsa -out /home/e-smith/dkim_keys/default/private 2048
/usr/bin/openssl rsa -in /home/e-smith/dkim_keys/default/private \ /usr/bin/openssl rsa -in /home/e-smith/dkim_keys/default/private \
-out /home/e-smith/dkim_keys/default/public -pubout -out /home/e-smith/dkim_keys/default/public -pubout

8
smeserver-qpsmtpd.spec
View File

@ -4,7 +4,7 @@ Summary: SME Server qpsmtpd module
%define name smeserver-qpsmtpd %define name smeserver-qpsmtpd
Name: %{name} Name: %{name}
%define version 11.0.0 %define version 11.0.0
%define release 12 %define release 13
Version: %{version} Version: %{version}
Release: %{release}%{?dist} Release: %{release}%{?dist}
License: GPL License: GPL
@ -32,7 +32,7 @@ Obsoletes: e-smith-qpsmtpd < %{version}
Provides: e-smith-qpsmtpd Provides: e-smith-qpsmtpd
Obsoletes: smeserver-qpsmtpd-tnef2mime < %{version} Obsoletes: smeserver-qpsmtpd-tnef2mime < %{version}
Provides: smeserver-qpsmtpd-tnef2mime Provides: smeserver-qpsmtpd-tnef2mime
Requires: smeserver-base >= 4.15.2 Requires: smeserver-base >= 11.0.0-23
Requires: perl-Convert-TNEF Requires: perl-Convert-TNEF
Requires: perl-IO-stringy Requires: perl-IO-stringy
Requires: perl-File-MMagic Requires: perl-File-MMagic
@ -45,6 +45,10 @@ AutoReqProv: no
SME Server qpsmtpd smtpd module SME Server qpsmtpd smtpd module
%changelog %changelog
* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-13.sme
- use esmith::ssl to set ciphers and protocol [SME: 12822]
improve cipher order to get strongers first
* Tue Jan 14 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-12.sme * Tue Jan 14 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-12.sme
- fix /bin/sh is needed because of pretrans scriptlet [SME: 12871] - fix /bin/sh is needed because of pretrans scriptlet [SME: 12871]