On Wed, Aug 19, 2015 at 12:09:13PM +0200, L.P.H. van Belle wrote:
> Try it like this, there is no need for combining the certificates.
Actually, there is. It avoids the need to worry about the CApath,
which can then be left empty.
> if [ -d /etc/ssl/private ]; then
> mkdir -p /etc/ssl/private
> chmod 710 /etc/ssl/private
> fi
The DH parameters are public data, no need for "private".
> # Postfix enabled
> postconf -e "smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES,
> RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
> CBC3-SHA"
> postconf -e "smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES,
> RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
> CBC3-SHA"
There's no need to exclude aNULL, it is disabled automatically as
necessary. Also DES and EXPORT are already excluded from "medium".
This is not a well thought out list of exclusions. A few of the
above don't even exist (to be excluded).
No cargo-cult settings please.
> postconf -e "smtpd_tls_dh512_param_file = /etc/ssl/private/dhparams512.pem"
> postconf -e "smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams1024.pem"
The recommended non-export DH parameters use 2048-bit primes these
days. See
http://www.postfix.org/FORWARD_SECRECY_README.html#server_fs
http://www.postfix.org/FORWARD_SECRECY_README.html#quick-start
--
Viktor.
