On Thu, 19 Jan 2012 18:43:28 +0200, Nikolaos Milas <[email protected]> wrote:
> submission inet n - n - - smtpd > -o syslog_name=postfix/submission > -o smtpd_enforce_tls=yes > -o smtpd_sasl_auth_enable=yes > ... > Any other options (except smtpd_*) which we should also redefine? This will give you a fairly secure submission: submission inet n - - - - smtpd -o syslog_name=postfix-submission -o tls_preempt_cipherlist=yes -o smtpd_tls_mandatory_ciphers=high -o smtpd_tls_exclude_ciphers=DES,3DES,MD5,aNULL -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING NOTES: - in the submission line please note the second dash '-' instead of your 'n' (it is safe and wil spare you from a lot of chroot problems) - if using a Postfix newer than v.2.2 you should use smtpd_tls_security_level=encrypt , instead of smtpd_enforce_tls=yes. You can check postfix version using: postconf | grep mail_version - smtpd_tls_exclude_ciphers is used to exclude some of the weaker ciphers. Or, even better: DES,3DES,MD5,aNULL,AES128,CAMELLIA128 To check what you will be getting execute: openssl ciphers -v 'HIGH:!DES:!3DES:!MD5:!aNULL@STRENGTH' openssl ciphers -v 'HIGH:!DES:!3DES:!MD5:!aNULL:!AES128:!CAMELLIA128@STRENGTH' M.
