mirror of
https://github.com/internetstandards/toolbox-wiki.git
synced 2024-12-04 16:55:10 +01:00
435601cf34
Due to a bug in internet.nl, some 'insufficient' and 'phase out' algorithms were enabled but not detected (https://github.com/NLnetLabs/Internet.nl/issues/477). This lead to a false positive test result of the cipher sub test. This new cipher exclude list fixes this.
2.6 KiB
2.6 KiB
UNDER CONSTRUCTION!!!
STARTTLS how-to
This how-to is created by the Dutch Internet Standards Platform (the organization behind internet.nl) and is meant to provide practical information and guidance on implementing STARTTLS.
Table of contents
Under construction
What is STARTTLS?
Under construction
Why use STARTTLS?
Under construction
Tips, tricks and notices for implementation
- http://postfix.1071664.n5.nabble.com/Disable-SSL-TLS-renegotiation-td96864.html#a96871
- Use the RFC 7919 defined DH groups: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem)
Implementing STARTTLS in Postfix
Specifics for this setup
- Linux Debian 10 (Buster)
- Postfix 3.4.5
- OpenSSL 1.1.1d
Assumptions
- Mail server is using DANE
- Software packages are already installed
Configuring Postfix
# use DANE (when acting as a client)
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtp_host_lookup = dns
smtp_tls_note_starttls_offer = yes
# --- TLS settings ---
smtpd_tls_security_level = may
smtpd_tls_key_file = /etc/postfix/ssl/example.nl.key
smtpd_tls_cert_file = /etc/postfix/ssl/example.nl.crt
smtpd_tls_CAfile = /etc/postfix/ssl/example.nl-cabundle.crt
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
# --- TLS protocol config ---
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
# --- TLS cipher config ---
smtpd_tls_mandatory_ciphers=high
smtpd_tls_ciphers=high
# disable compression and client-initiated renegotiation
tls_ssl_options = NO_COMPRESSION, 0x40000000
# disable unsecure ciphers
smtpd_tls_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP, PSK, kDH, ADH, AECDH, kRSA, DSS, RC4, DES, IDEA, SEED, ARIA, AESCCM8, 3DES, MD5
smtp_tls_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP, PSK, kDH, ADH, AECDH, kRSA, DSS, RC4, DES, IDEA, SEED, ARIA, AESCCM8, 3DES, MD5
# Enable server cipher-suite preferences
tls_preempt_cipherlist = yes
# Forward secrecy
smtpd_tls_eecdh_grade=ultra
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/ffdhe4096.pem
# --- TLS logging ---
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1