Update STARTTLS-how-to.md

This commit is contained in:
Dennis Baaten 2020-05-28 11:08:21 +02:00
parent 8813f6dbcd
commit da3c1db8ad

View File

@ -16,6 +16,7 @@ Under construction
# Tips, tricks and notices for implementation # Tips, tricks and notices for implementation
* http://postfix.1071664.n5.nabble.com/Disable-SSL-TLS-renegotiation-td96864.html#a96871 * http://postfix.1071664.n5.nabble.com/Disable-SSL-TLS-renegotiation-td96864.html#a96871
* Use the RFC 7919 defined DH groups: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem)
## Implementing STARTTLS in Postfix ## Implementing STARTTLS in Postfix
**Specifics for this setup** **Specifics for this setup**
@ -60,7 +61,7 @@ Under construction
smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA, DHE-RSA-AES256-CCM8, AES256-CCM8, DHE-RSA-AES128-CCM8, AES128-CCM8 smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA, DHE-RSA-AES256-CCM8, AES256-CCM8, DHE-RSA-AES128-CCM8, AES128-CCM8
# Enable server cipher-suite preferences # Enable server cipher-suite preferences
tls_preempt_cipherlist = yes tls_preempt_cipherlist = yes
# Forward secrecy (use the RFC 7919 defined DH group:https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem) # Forward secrecy
smtpd_tls_eecdh_grade=ultra smtpd_tls_eecdh_grade=ultra
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/ffdhe4096.pem smtpd_tls_dh1024_param_file = /etc/postfix/ssl/ffdhe4096.pem