email-toolbox-wiki/under construction/STARTTLS-how-to.md
Dennis Baaten 435601cf34
updated cipher exclude list
Due to a bug in internet.nl, some 'insufficient' and 'phase out' algorithms were enabled but not detected (https://github.com/NLnetLabs/Internet.nl/issues/477). This lead to a false positive test result of the cipher sub test. This new cipher exclude list fixes this.
2020-09-23 21:58:43 +02:00

2.6 KiB

UNDER CONSTRUCTION!!!

STARTTLS how-to

This how-to is created by the Dutch Internet Standards Platform (the organization behind internet.nl) and is meant to provide practical information and guidance on implementing STARTTLS.

Table of contents

Under construction

What is STARTTLS?

Under construction

Why use STARTTLS?

Under construction

Tips, tricks and notices for implementation

Implementing STARTTLS in Postfix

Specifics for this setup

  • Linux Debian 10 (Buster)
  • Postfix 3.4.5
  • OpenSSL 1.1.1d

Assumptions

  • Mail server is using DANE
  • Software packages are already installed

Configuring Postfix

# use DANE (when acting as a client)
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtp_host_lookup = dns
smtp_tls_note_starttls_offer = yes

# --- TLS settings ---
smtpd_tls_security_level = may
smtpd_tls_key_file = /etc/postfix/ssl/example.nl.key
smtpd_tls_cert_file = /etc/postfix/ssl/example.nl.crt
smtpd_tls_CAfile = /etc/postfix/ssl/example.nl-cabundle.crt
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
  
# --- TLS protocol config ---
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

# --- TLS cipher config ---
smtpd_tls_mandatory_ciphers=high
smtpd_tls_ciphers=high
# disable compression and client-initiated renegotiation
tls_ssl_options = NO_COMPRESSION, 0x40000000
# disable unsecure ciphers
smtpd_tls_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP, PSK, kDH, ADH, AECDH, kRSA, DSS, RC4, DES, IDEA, SEED, ARIA, AESCCM8, 3DES, MD5
smtp_tls_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP, PSK, kDH, ADH, AECDH, kRSA, DSS, RC4, DES, IDEA, SEED, ARIA, AESCCM8, 3DES, MD5
# Enable server cipher-suite preferences
tls_preempt_cipherlist = yes
# Forward secrecy
smtpd_tls_eecdh_grade=ultra
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/ffdhe4096.pem

# --- TLS logging ---
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1