email-toolbox-wiki/under construction/STARTTLS-how-to.md

<img align="right" src="/images/logo-internetnl-en.svg">

# UNDER CONSTRUCTION!!! 

# STARTTLS how-to
This how-to is created by the Dutch Internet Standards Platform (the organization behind [internet.nl](https://internet.nl)) and is meant to provide practical information and guidance on implementing STARTTLS.  

# Table of contents
Under construction

# What is STARTTLS?
Under construction

# Why use STARTTLS?
Under construction

# Tips, tricks and notices for implementation
* http://postfix.1071664.n5.nabble.com/Disable-SSL-TLS-renegotiation-td96864.html#a96871
* Use the RFC 7919 defined DH groups: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem)

## Implementing STARTTLS in Postfix
**Specifics for this setup**
* Linux Debian 10 (Buster) 
* Postfix 3.4.5
* OpenSSL 1.1.1d

**Assumptions**
* Mail server is using DANE
* Software packages are already installed

### Configuring Postfix

    # use DANE (when acting as a client)
    smtp_dns_support_level = dnssec
    smtp_tls_security_level = dane
    smtp_host_lookup = dns
    smtp_tls_note_starttls_offer = yes

    # --- TLS settings ---
    smtpd_tls_security_level = may
    smtpd_tls_key_file = /etc/postfix/ssl/example.nl.key
    smtpd_tls_cert_file = /etc/postfix/ssl/example.nl.crt
    smtpd_tls_CAfile = /etc/postfix/ssl/example.nl-cabundle.crt
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
      
    # --- TLS protocol config ---
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
	
	# --- TLS cipher config ---
    smtpd_tls_mandatory_ciphers=high
    smtpd_tls_ciphers=high
	# disable compression and client-initiated renegotiation
    tls_ssl_options = NO_COMPRESSION, 0x40000000
	# disable unsecure ciphers
    smtpd_tls_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP, PSK, kDH, ADH, AECDH, kRSA, DSS, RC4, DES, IDEA, SEED, ARIA, AESCCM8, 3DES, MD5
    smtp_tls_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP, PSK, kDH, ADH, AECDH, kRSA, DSS, RC4, DES, IDEA, SEED, ARIA, AESCCM8, 3DES, MD5
	# Enable server cipher-suite preferences
    tls_preempt_cipherlist = yes
    # Forward secrecy
    smtpd_tls_eecdh_grade=ultra
    smtpd_tls_dh1024_param_file = /etc/postfix/ssl/ffdhe4096.pem
	
	# --- TLS logging ---
    smtp_tls_loglevel = 1
    smtpd_tls_loglevel = 1
Update STARTTLS-how-to.md 2020-05-28 11:01:58 +02:00			`<img align="right" src="/images/logo-internetnl-en.svg">`
Create STARTTLS-how-to.md 2020-05-28 10:38:13 +02:00
			`# UNDER CONSTRUCTION!!!`

			`# STARTTLS how-to`
			`This how-to is created by the Dutch Internet Standards Platform (the organization behind [internet.nl](https://internet.nl)) and is meant to provide practical information and guidance on implementing STARTTLS.`

			`# Table of contents`
Update STARTTLS-how-to.md 2020-05-28 11:01:58 +02:00			`Under construction`
Create STARTTLS-how-to.md 2020-05-28 10:38:13 +02:00
			`# What is STARTTLS?`
Update STARTTLS-how-to.md 2020-05-28 11:01:58 +02:00			`Under construction`
Create STARTTLS-how-to.md 2020-05-28 10:38:13 +02:00
			`# Why use STARTTLS?`
Update STARTTLS-how-to.md 2020-05-28 11:01:58 +02:00			`Under construction`
Create STARTTLS-how-to.md 2020-05-28 10:38:13 +02:00
			`# Tips, tricks and notices for implementation`
Update STARTTLS-how-to.md 2020-05-28 11:01:58 +02:00			`* http://postfix.1071664.n5.nabble.com/Disable-SSL-TLS-renegotiation-td96864.html#a96871`
Update STARTTLS-how-to.md 2020-05-28 11:08:21 +02:00			`* Use the RFC 7919 defined DH groups: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem)`
Create STARTTLS-how-to.md 2020-05-28 10:38:13 +02:00
			`## Implementing STARTTLS in Postfix`
			`Specifics for this setup`
			`* Linux Debian 10 (Buster)`
			`* Postfix 3.4.5`
			`* OpenSSL 1.1.1d`

			`Assumptions`
			`* Mail server is using DANE`
			`* Software packages are already installed`

			`### Configuring Postfix`

Update STARTTLS-how-to.md 2020-05-28 11:01:58 +02:00			`# use DANE (when acting as a client)`
Create STARTTLS-how-to.md 2020-05-28 10:38:13 +02:00			`smtp_dns_support_level = dnssec`
			`smtp_tls_security_level = dane`
			`smtp_host_lookup = dns`
			`smtp_tls_note_starttls_offer = yes`
Update STARTTLS-how-to.md 2020-05-28 11:01:58 +02:00
			`# --- TLS settings ---`
			`smtpd_tls_security_level = may`
			`smtpd_tls_key_file = /etc/postfix/ssl/example.nl.key`
			`smtpd_tls_cert_file = /etc/postfix/ssl/example.nl.crt`
			`smtpd_tls_CAfile = /etc/postfix/ssl/example.nl-cabundle.crt`
			`smtpd_tls_received_header = yes`
			`smtpd_tls_session_cache_timeout = 3600s`

			`# --- TLS protocol config ---`
Create STARTTLS-how-to.md 2020-05-28 10:38:13 +02:00			`smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1`
			`smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1`
			`smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1`
			`smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1`
			`lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1`
			`lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1`

Update STARTTLS-how-to.md 2020-05-28 11:01:58 +02:00			`# --- TLS cipher config ---`
Create STARTTLS-how-to.md 2020-05-28 10:38:13 +02:00			`smtpd_tls_mandatory_ciphers=high`
			`smtpd_tls_ciphers=high`
Update STARTTLS-how-to.md 2020-05-28 11:01:58 +02:00			`# disable compression and client-initiated renegotiation`
Create STARTTLS-how-to.md 2020-05-28 10:38:13 +02:00			`tls_ssl_options = NO_COMPRESSION, 0x40000000`
Update STARTTLS-how-to.md 2020-05-28 11:10:40 +02:00			`# disable unsecure ciphers`
updated cipher exclude list Due to a bug in internet.nl, some 'insufficient' and 'phase out' algorithms were enabled but not detected (https://github.com/NLnetLabs/Internet.nl/issues/477). This lead to a false positive test result of the cipher sub test. This new cipher exclude list fixes this. 2020-09-23 21:58:43 +02:00			`smtpd_tls_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP, PSK, kDH, ADH, AECDH, kRSA, DSS, RC4, DES, IDEA, SEED, ARIA, AESCCM8, 3DES, MD5`
			`smtp_tls_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP, PSK, kDH, ADH, AECDH, kRSA, DSS, RC4, DES, IDEA, SEED, ARIA, AESCCM8, 3DES, MD5`
Create STARTTLS-how-to.md 2020-05-28 10:38:13 +02:00			`# Enable server cipher-suite preferences`
			`tls_preempt_cipherlist = yes`
Update STARTTLS-how-to.md 2020-05-28 11:08:21 +02:00			`# Forward secrecy`
Create STARTTLS-how-to.md 2020-05-28 10:38:13 +02:00			`smtpd_tls_eecdh_grade=ultra`
			`smtpd_tls_dh1024_param_file = /etc/postfix/ssl/ffdhe4096.pem`
Update STARTTLS-how-to.md 2020-05-28 11:01:58 +02:00
			`# --- TLS logging ---`
Create STARTTLS-how-to.md 2020-05-28 10:38:13 +02:00			`smtp_tls_loglevel = 1`
			`smtpd_tls_loglevel = 1`