mirror of
https://github.com/internetstandards/toolbox-wiki.git
synced 2024-11-23 19:41:37 +01:00
435601cf34
Due to a bug in internet.nl, some 'insufficient' and 'phase out' algorithms were enabled but not detected (https://github.com/NLnetLabs/Internet.nl/issues/477). This lead to a false positive test result of the cipher sub test. This new cipher exclude list fixes this.
76 lines
2.6 KiB
Markdown
76 lines
2.6 KiB
Markdown
<img align="right" src="/images/logo-internetnl-en.svg">
|
|
|
|
# UNDER CONSTRUCTION!!!
|
|
|
|
# STARTTLS how-to
|
|
This how-to is created by the Dutch Internet Standards Platform (the organization behind [internet.nl](https://internet.nl)) and is meant to provide practical information and guidance on implementing STARTTLS.
|
|
|
|
# Table of contents
|
|
Under construction
|
|
|
|
# What is STARTTLS?
|
|
Under construction
|
|
|
|
# Why use STARTTLS?
|
|
Under construction
|
|
|
|
# Tips, tricks and notices for implementation
|
|
* http://postfix.1071664.n5.nabble.com/Disable-SSL-TLS-renegotiation-td96864.html#a96871
|
|
* Use the RFC 7919 defined DH groups: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem)
|
|
|
|
## Implementing STARTTLS in Postfix
|
|
**Specifics for this setup**
|
|
* Linux Debian 10 (Buster)
|
|
* Postfix 3.4.5
|
|
* OpenSSL 1.1.1d
|
|
|
|
**Assumptions**
|
|
* Mail server is using DANE
|
|
* Software packages are already installed
|
|
|
|
### Configuring Postfix
|
|
|
|
# use DANE (when acting as a client)
|
|
smtp_dns_support_level = dnssec
|
|
smtp_tls_security_level = dane
|
|
smtp_host_lookup = dns
|
|
smtp_tls_note_starttls_offer = yes
|
|
|
|
# --- TLS settings ---
|
|
smtpd_tls_security_level = may
|
|
smtpd_tls_key_file = /etc/postfix/ssl/example.nl.key
|
|
smtpd_tls_cert_file = /etc/postfix/ssl/example.nl.crt
|
|
smtpd_tls_CAfile = /etc/postfix/ssl/example.nl-cabundle.crt
|
|
smtpd_tls_received_header = yes
|
|
smtpd_tls_session_cache_timeout = 3600s
|
|
|
|
# --- TLS protocol config ---
|
|
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
|
|
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
|
|
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
|
|
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
|
|
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
|
|
lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
|
|
|
|
# --- TLS cipher config ---
|
|
smtpd_tls_mandatory_ciphers=high
|
|
smtpd_tls_ciphers=high
|
|
# disable compression and client-initiated renegotiation
|
|
tls_ssl_options = NO_COMPRESSION, 0x40000000
|
|
# disable unsecure ciphers
|
|
smtpd_tls_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP, PSK, kDH, ADH, AECDH, kRSA, DSS, RC4, DES, IDEA, SEED, ARIA, AESCCM8, 3DES, MD5
|
|
smtp_tls_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP, PSK, kDH, ADH, AECDH, kRSA, DSS, RC4, DES, IDEA, SEED, ARIA, AESCCM8, 3DES, MD5
|
|
# Enable server cipher-suite preferences
|
|
tls_preempt_cipherlist = yes
|
|
# Forward secrecy
|
|
smtpd_tls_eecdh_grade=ultra
|
|
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/ffdhe4096.pem
|
|
|
|
# --- TLS logging ---
|
|
smtp_tls_loglevel = 1
|
|
smtpd_tls_loglevel = 1
|
|
|
|
|
|
|
|
|