[Postfix] Upgrade to Deb12 + PF to 3.7.10 & Drop TLS 1.0/1.1 per defa…

…ult (#5635) * postfix: removed TLS1.0/1.1 support (natively) * postfix: upgrade to deb12 + pf to 3.7.9 * compose: increased postfix tag * postfix: shortened TLS syntax with new format of 3.6+
mailcow · Jun 26, 2024 · 2cf952e · 2cf952e
1 parent 6fc86dd
commit 2cf952e
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 14 deletions.
diff --git a/data/Dockerfiles/postfix/Dockerfile b/data/Dockerfiles/postfix/Dockerfile
@@ -1,4 +1,4 @@
-FROM debian:bullseye-slim
+FROM debian:bookworm-slim
 LABEL maintainer "The Infrastructure Company GmbH <[email protected]>"
 
 ARG DEBIAN_FRONTEND=noninteractive

diff --git a/data/Dockerfiles/postfix/syslog-ng-redis_slave.conf b/data/Dockerfiles/postfix/syslog-ng-redis_slave.conf
@@ -1,4 +1,4 @@
-@version: 3.28
+@version: 3.38
 @include "scl.conf"
 options {
   chain_hostnames(off);

diff --git a/data/Dockerfiles/postfix/syslog-ng.conf b/data/Dockerfiles/postfix/syslog-ng.conf
@@ -1,4 +1,4 @@
-@version: 3.28
+@version: 3.38
 @include "scl.conf"
 options {
   chain_hostnames(off);

diff --git a/data/conf/postfix/anonymize_headers.pcre b/data/conf/postfix/anonymize_headers.pcre
@@ -1,6 +1,6 @@
 if /^\s*Received:.*Authenticated sender.*\(Postcow\)/
 #/^Received: from .*? \([\w-.]* \[.*?\]\)\s+\(Authenticated sender: (.+)\)\s+by.+\(Postcow\) with (E?SMTPS?A?) id ([A-F0-9]+).+;.*?/
-/^Received: from .*? \([\w-.]* \[.*?\]\)(.*|\n.*)\(Authenticated sender: (.+)\)\s+by.+\(Postcow\) with (.*)/
+/^Received: from .*? \([\w\-.]* \[.*?\]\)(.*|\n.*)\(Authenticated sender: (.+)\)\s+by.+\(Postcow\) with (.*)/
   REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with $3
 endif
 if /^\s*Received: from.* \(.*dovecot-mailcow.*mailcow-network.*\).*\(Postcow\)/

diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
@@ -114,14 +114,14 @@ smtpd_tls_loglevel = 1
 
 # Mandatory protocols and ciphers are used when a connections is enforced to use TLS
 # Does _not_ apply to enforced incoming TLS settings per mailbox
-smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtp_tls_mandatory_protocols = >=TLSv1.2
+lmtp_tls_mandatory_protocols = >=TLSv1.2
+smtpd_tls_mandatory_protocols = >=TLSv1.2
 smtpd_tls_mandatory_ciphers = high
 
-smtp_tls_protocols = !SSLv2, !SSLv3
-lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtpd_tls_protocols = !SSLv2, !SSLv3
+smtp_tls_protocols = >=TLSv1.2
+lmtp_tls_protocols = >=TLSv1.2
+smtpd_tls_protocols = >=TLSv1.2
 
 smtpd_tls_security_level = may
 tls_preempt_cipherlist = yes
@@ -164,11 +164,11 @@ transport_maps = pcre:/opt/postfix/conf/custom_transport.pcre,
 smtp_sasl_auth_soft_bounce = no
 postscreen_discard_ehlo_keywords = silent-discard, dsn, chunking
 smtpd_discard_ehlo_keywords = chunking, silent-discard
-compatibility_level = 2
+compatibility_level = 3.7
 smtputf8_enable = no
 # Define protocols for SMTPS and submission service
-submission_smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtps_smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+submission_smtpd_tls_mandatory_protocols = >=TLSv1.2
+smtps_smtpd_tls_mandatory_protocols = >=TLSv1.2
 parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,qmqpd_authorized_clients
 
 # DO NOT EDIT ANYTHING BELOW #

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -304,7 +304,7 @@ services:
             - dovecot
 
     postfix-mailcow:
-      image: mailcow/postfix:1.74
+      image: mailcow/postfix:1.75
       depends_on:
         mysql-mailcow:
           condition: service_started