Scott Hollenbeck via Postfix-users: > Thanks, here's the output: > > $ postconf -H | grep -E 'high|medium' > tls_high_cipherlist > tls_medium_cipherlist > $ >
No, a hint to study the postconf(5) manpage. https://www.postfix.org/postconf.5.html#tls_high_cipherlist https://www.postfix.org/postconf.5.html#tls_medium_cipherlist Wietse > > Scott > > > -----Original Message----- > > From: Wietse Venema via Postfix-users <postfix-users@postfix.org> > > Sent: Wednesday, February 28, 2024 2:18 PM > > To: Postfix users <postfix-users@postfix.org> > > Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak > > Ciphers > > > > Scott Hollenbeck via Postfix-users: > > > Sorry, I should note that this is for postfix 3.6.4. > > > > > > > postconf -H | grep -E 'high|medium' > > > > Wietse > > > > > > > -----Original Message----- > > > > From: Scott Hollenbeck via Postfix-users <postfix-users@postfix.org> > > > > Sent: Wednesday, February 28, 2024 8:55 AM > > > > To: postfix-users@postfix.org > > > > Subject: [pfx] Configuration Settings for TLS 1.2 and 1.3 with No Weak > > > Ciphers > > > > > > > > Would someone please describe the configuration settings needed to > > support > > > > TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in > my > > > > configuration files: > > > > > > > > main.cf: > > > > > > > > smtpd_tls_cert_file=/etc/letsencrypt/live/mysite.net/fullchain.pem > > > > smtpd_tls_key_file=/etc/letsencrypt/live/mysite.net/privkey.pem > > > > smtpd_tls_security_level = may > > > > smtpd_tls_mandatory_ciphers = high > > > > smtpd_tls_protocols = >=TLSv1.2 > > > > smtpd_tls_mandatory_protocols = >=TLSv1.2 > > > > smtpd_tls_session_cache_database = > > btree:${data_directory}/smtpd_scache > > > > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache > > > > smtpd_tls_dh1024_param_file = /etc/ssl/private/dh2048.pem > > > > smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem > > > > > > > > master.cf: > > > > > > > > submission inet n - n - - smtpd > > > > -o syslog_name=postfix/submission > > > > -o smtpd_tls_security_level=encrypt > > > > -o smtpd_sasl_auth_enable=yes > > > > -o smtpd_client_restrictions=permit_sasl_authenticated,reject > > > > > > > > Here's what I see when I use nmap to retrieve the supported ciphers > (note > > > > that there are only TLS 1.2 ciphers listed, and some are weak): > > > > > > > > $ nmap-ciphers 587 mysite.com > > > > Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 08:13 EST > > > > Nmap scan report for mysite.com (173.255.237.114) > > > > Host is up (0.00017s latency). > > > > Other addresses for mysite.com (not scanned): > > > > 2600:3c03::f03c:91ff:fe70:dbb > > > > rDNS record for 173.255.237.114: mysite.net > > > > > > > > PORT STATE SERVICE > > > > 587/tcp open submission > > > > | ssl-enum-ciphers: > > > > | TLSv1.2: > > > > | ciphers: > > > > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A > > > > | TLS_DH_anon_WITH_AES_128_CBC_SHA - F > > > > | TLS_DH_anon_WITH_AES_128_CBC_SHA256 - F > > > > | TLS_DH_anon_WITH_AES_128_GCM_SHA256 - F > > > > | TLS_DH_anon_WITH_AES_256_CBC_SHA - F > > > > | TLS_DH_anon_WITH_AES_256_CBC_SHA256 - F > > > > | TLS_DH_anon_WITH_AES_256_GCM_SHA384 - F > > > > | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - F > > > > | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 - F > > > > | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - F > > > > | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 - F > > > > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A > > > > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A > > > > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A > > > > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A > > > > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A > > > > | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A > > > > | TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp256r1) - A > > > > | TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A > > > > | TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A > > > > | TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A > > > > | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) > > - A > > > > | TLS_ECDH_anon_WITH_AES_128_CBC_SHA - F > > > > | TLS_ECDH_anon_WITH_AES_256_CBC_SHA - F > > > > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A > > > > | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A > > > > | TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A > > > > | TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A > > > > | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A > > > > | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A > > > > | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A > > > > | TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A > > > > | TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A > > > > | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A > > > > | TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A > > > > | TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A > > > > | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A > > > > | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A > > > > | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A > > > > | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A > > > > | compressors: > > > > | NULL > > > > | cipher preference: client > > > > |_ least strength: F > > > > > > > > Nmap done: 1 IP address (1 host up) scanned in 2.17 seconds > > > > $ > > > > > > > > Thanks for your guidance, > > > > Scott > > > > > > > > _______________________________________________ > > > > Postfix-users mailing list -- postfix-users@postfix.org > > > > To unsubscribe send an email to postfix-users-le...@postfix.org > > > > > > _______________________________________________ > > > Postfix-users mailing list -- postfix-users@postfix.org > > > To unsubscribe send an email to postfix-users-le...@postfix.org > > > > > _______________________________________________ > > Postfix-users mailing list -- postfix-users@postfix.org > > To unsubscribe send an email to postfix-users-le...@postfix.org > > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
