2020-05-28 11:01:58 +02:00
< img align = "right" src = "/images/logo-internetnl-en.svg" >
2020-05-28 10:38:13 +02:00
# UNDER CONSTRUCTION!!!
# STARTTLS how-to
This how-to is created by the Dutch Internet Standards Platform (the organization behind [internet.nl ](https://internet.nl )) and is meant to provide practical information and guidance on implementing STARTTLS.
# Table of contents
2020-05-28 11:01:58 +02:00
Under construction
2020-05-28 10:38:13 +02:00
# What is STARTTLS?
2020-05-28 11:01:58 +02:00
Under construction
2020-05-28 10:38:13 +02:00
# Why use STARTTLS?
2020-05-28 11:01:58 +02:00
Under construction
2020-05-28 10:38:13 +02:00
# Tips, tricks and notices for implementation
2020-05-28 11:01:58 +02:00
* http://postfix.1071664.n5.nabble.com/Disable-SSL-TLS-renegotiation-td96864.html#a96871
2020-05-28 11:08:21 +02:00
* Use the RFC 7919 defined DH groups: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem)
2020-05-28 10:38:13 +02:00
## Implementing STARTTLS in Postfix
**Specifics for this setup**
* Linux Debian 10 (Buster)
* Postfix 3.4.5
* OpenSSL 1.1.1d
**Assumptions**
* Mail server is using DANE
* Software packages are already installed
### Configuring Postfix
2020-05-28 11:01:58 +02:00
# use DANE (when acting as a client)
2020-05-28 10:38:13 +02:00
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtp_host_lookup = dns
smtp_tls_note_starttls_offer = yes
2020-05-28 11:01:58 +02:00
# --- TLS settings ---
smtpd_tls_security_level = may
smtpd_tls_key_file = /etc/postfix/ssl/example.nl.key
smtpd_tls_cert_file = /etc/postfix/ssl/example.nl.crt
smtpd_tls_CAfile = /etc/postfix/ssl/example.nl-cabundle.crt
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
# --- TLS protocol config ---
2020-05-28 10:38:13 +02:00
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
2020-05-28 11:01:58 +02:00
# --- TLS cipher config ---
2020-05-28 10:38:13 +02:00
smtpd_tls_mandatory_ciphers=high
smtpd_tls_ciphers=high
2020-05-28 11:01:58 +02:00
# disable compression and client-initiated renegotiation
2020-05-28 10:38:13 +02:00
tls_ssl_options = NO_COMPRESSION, 0x40000000
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA, DHE-RSA-AES256-CCM8, AES256-CCM8, DHE-RSA-AES128-CCM8, AES128-CCM8
smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA, DHE-RSA-AES256-CCM8, AES256-CCM8, DHE-RSA-AES128-CCM8, AES128-CCM8
# Enable server cipher-suite preferences
tls_preempt_cipherlist = yes
2020-05-28 11:08:21 +02:00
# Forward secrecy
2020-05-28 10:38:13 +02:00
smtpd_tls_eecdh_grade=ultra
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/ffdhe4096.pem
2020-05-28 11:01:58 +02:00
# --- TLS logging ---
2020-05-28 10:38:13 +02:00
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1