On Thu, 19 Jan 2012 18:43:28 +0200, Nikolaos Milas <[email protected]>
wrote:

> submission inet n       -       n       -       -       smtpd
>    -o syslog_name=postfix/submission
>    -o smtpd_enforce_tls=yes
>    -o smtpd_sasl_auth_enable=yes
>   ...
> Any other options (except smtpd_*) which we should also redefine?

This will give you a fairly secure submission:

submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix-submission
  -o tls_preempt_cipherlist=yes
  -o smtpd_tls_mandatory_ciphers=high
  -o smtpd_tls_exclude_ciphers=DES,3DES,MD5,aNULL
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

NOTES:
- in the submission line please note the second dash '-' instead of
  your 'n' (it is safe and wil spare you from a lot of chroot problems)

- if using a Postfix newer than v.2.2 you should use
  smtpd_tls_security_level=encrypt , instead of smtpd_enforce_tls=yes. 
You can check postfix version using:  postconf | grep mail_version

- smtpd_tls_exclude_ciphers is used to exclude some of the weaker
  ciphers. Or, even better: DES,3DES,MD5,aNULL,AES128,CAMELLIA128
  To check what you will be getting execute:
openssl ciphers -v 'HIGH:!DES:!3DES:!MD5:!aNULL@STRENGTH'
openssl ciphers -v 'HIGH:!DES:!3DES:!MD5:!aNULL:!AES128:!CAMELLIA128@STRENGTH'


 M.

Reply via email to