On Wed, Aug 19, 2015 at 08:46:03AM -0700, Alice Wonder wrote:
> >>if [ -d /etc/ssl/private ]; then
> >> mkdir -p /etc/ssl/private
> >> chmod 710 /etc/ssl/private
> >>fi
>
> I ended up specifying smtpd_tls_CAfile
>
> which has both the intermediary certs.
>
> That works well and is not difficult to do
It has the side-effect of sending the DNs of all the CAs in question
in the TLS handshake to clients if you some day enable "smtpd_tls_ask_ccert
= yes", and often loads more CAs into memory than you need.
It is not wrong of course, but it is a more indirect way of getting
the right result.
> >No cargo-cult settings please.
>
> This is what I am using
>
> smtpd_tls_exclude_ciphers = RC4, 3DES, IDEA
>
> I still have to go through.
It is not (yet) a good idea to disable RC4 or 3DES on the server
side. IDEA is essentially unused, so removing it harmless.
Don't (yet) disable RC4 or 3DES, this just makes it harder for
some systems to send you email.
> But port 587 I wish I could be super picky about allowed ciphers because
> that's where users authenticate (though there's not a way I no of yet anyway
> to stop them from using 25 except when their ISP blocks it) and
> authentication does need to be kept private.
http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_protocols
http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_ciphers
http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_exclude_ciphers
For many sites, it suffices to just set:
# This may already be the default:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
# This defaults to "medium"
smtpd_tls_mandatory_ciphers = high
which disables all the weak stuff, but if you need some
"medium" ciphers, then your probably need RC4, in which case,
just:
# This may already be the default:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
--
Viktor.
