Am 2024-02-28 14:55, schrieb Scott Hollenbeck via Postfix-users:
Would someone please describe the configuration settings needed to support TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my
That depends on your definition of "weak".
configuration files:
main.cf:
smtpd_tls_cert_file=/etc/letsencrypt/live/mysite.net/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mysite.net/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_mandatory_ciphers = high
smtpd_tls_protocols = >=TLSv1.2
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_dh1024_param_file = /etc/ssl/private/dh2048.pem
smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem
Don't take the following as-is. Research what each option is doing, your milage may vary. Others may have other opinions.
# grep tls main.cf | grep -vE '^#' smtp_tls_session_cache_database = btree:$data_directory/smtp_scache smtp_tls_security_level = encrypt smtp_tls_session_cache_timeout = 3600s smtp_tls_mandatory_ciphers = high smtp_tls_mandatory_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1 smtp_tls_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1 tls_random_source = dev:/dev/urandom smtp_tls_CApath = /etc/ssl/certs smtp_tls_connection_reuse = yes smtpd_tls_chain_files = /usr/local/etc/postfix/ssl/outgoing_key.pem smtp_tls_chain_files = $smtpd_tls_chain_files smtpd_tls_dh1024_param_file = /usr/local/etc/postfix/ssl/dh_2048.pem smtpd_tls_dh512_param_file = /usr/local/etc/postfix/ssl/dh_512.pem smtpd_tls_ask_ccert = yes smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtpd_tls_CApath = $smtp_tls_CApath smtpd_tls_eecdh_grade = auto smtpd_tls_mandatory_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1 smtpd_tls_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1 smtpd_tls_mandatory_ciphers=high smtp_tls_policy_maps = hash:/usr/local/etc/postfix/tls_policy smtp_tls_fingerprint_digest = sha256 tls_high_cipherlist=ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384; tls_preempt_cipherlist = yes tls_ssl_options = NO_COMPRESSION This gives (nmap 7.94): PORT STATE SERVICE VERSION 25/tcp open smtp Postfix smtpd | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CCM (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A | TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (ecdh_x25519) - A | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_128_CCM (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A | TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (ecdh_x25519) - A | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | cipher preference: server |_ least strength: A Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netch...@freebsd.org : PGP 0x8F31830F9F2772BF
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
