2 Changes

Shawn Iverson · Shawn Iverson · commit 2fd4076bad63 · 2017-09-30T14:10:26.000-04:00
Reduce tls ciphers to medium for compatibility
Add new dcc servers without replacing dcc-servers.net servers
diff --git a/CHANGELOG b/CHANGELOG
@@ -8,7 +8,7 @@ Issue #385 Bug         - Changed from reload to restart for Postfix
 Issue #387 Enhancement - Updated MariaDB recovery script
 
 Enhancement - Let's Encrypt
-Enhancement - Removed public DCC servers and add EFA sponsored DCC servers
+Enhancement - Add EFA sponsored DCC servers
 Enhancement - Hypervisor detection during init
 Security - Regenerate self signed certs for Postfix/Apache/Webmin
 Security - Enabled strong cipher preference in Postfix
@@ -18,9 +18,6 @@ Bug - Updated menu options for "Apache Settings" menu
 Bug - Quarantine report to flip from HTTP to HTTPS
 Bug - Update quarantine FROM_ADDR to use POSTMASTER address in /etc/EFA-Config
 
-
-
-
 ############################################################
 EFA Version 3.0.2.4 Changes
 ############################################################
diff --git a/build/build.bash b/build/build.bash
@@ -229,7 +229,7 @@ func_postfix () {
     postconf -e "masquerade_domains = \$mydomain"
     # harden postfix
     postconf -e "tls_preempt_cipherlist = yes"
-    postconf -e "tls_high_cipherlist = ECDSA+AESGCM:ECDH+AESGCM:DH+AESGCM:ECDSA+AES:ECDH+AES:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
+    postconf -e "tls_medium_cipherlist = ECDSA+AESGCM:ECDH+AESGCM:DH+AESGCM:ECDSA+AES:ECDH+AES:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
     #other configuration files
     newaliases
     touch /etc/postfix/transport
@@ -251,7 +251,8 @@ func_postfix () {
     # Logjam Vulnerability #188 - #update for v3.0.2.5 for new cipher suite
     openssl dhparam -out /etc/postfix/ssl/dhparam.pem 2048
     postconf -e "smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dhparam.pem"
-    postconf -e "smtpd_tls_ciphers = high"
+    # Set to medium (default) not high for tls compatibility
+    postconf -e "smtpd_tls_ciphers = medium"
 
     echo "pwcheck_method: auxprop">/usr/lib64/sasl2/smtpd.conf
     echo "auxprop_plugin: sasldb">>/usr/lib64/sasl2/smtpd.conf
@@ -1147,12 +1148,7 @@ func_dcc () {
     sed -i "s/#loadplugin Mail::SpamAssassin::Plugin::DCC/loadplugin Mail::SpamAssassin::Plugin::DCC/g" /etc/mail/spamassassin/v310.pre
     
     #remove old servers
-    /usr/local/bin/cdcc "delete dcc1.dcc-servers.net"
-    /usr/local/bin/cdcc "delete dcc2.dcc-servers.net"
-    /usr/local/bin/cdcc "delete dcc3.dcc-servers.net"
-    /usr/local/bin/cdcc "delete dcc4.dcc-servers.net"
-    /usr/local/bin/cdcc "delete dcc5.dcc-servers.net"
-    /usr/local/bin/cdcc "delete dcc.nova53.net"
+    /usr/local/bin/cdcc "delete dcc.nova53.net" >/dev/null 2>&1
     #add new EFA servers
     /usr/local/bin/cdcc "add dcc1.nova53.net"
     /usr/local/bin/cdcc "add dcc2.nova53.net"
