Open Raptormagnum opened 9 years ago
POSTFIX CONF
main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = CHANGEIT
mydomain = CHANGEIT
myorigin = $mydomain
inet_interfaces = XXX.XXX.XXX.XXX, 127.0.0.1
inet_protocols = ipv4
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
unknown_local_recipient_reject_code = 550
mynetworks = XXX.XXX.XXX.XXX/XX, 127.0.0.0/8
relay_domains =
relayhost =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
home_mailbox = Maildir/
smtpd_banner = $myhostname ESMTP
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
message_size_limit = 20971520
virtual_alias_domains = XXXXX.XX, XXXXX.XX
virtual_alias_maps = hash:/etc/postfix/virtual
smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_loglevel = 2
smtpd_tls_cert_file = /etc/pki/tls/certs/XXXXX.XX.chain.pem
smtpd_tls_key_file = /etc/pki/tls/private/XXXXX.XX.key
smtpd_tls_security_level = may
tls_high_cipherlist = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, LOW, 3DES, MD5, EXP, PSK, SRP, DSS, RC4, SSLv2, SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_eecdh_grade = ultra
tls_eecdh_ultra_curve = secp384r1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_client_restrictions = permit_mynetworks,permit
smtpd_recipient_restrictions = permit_mynetworks,permit_auth_destination,permit_sasl_authenticated,reject
POSTFIX CONF
master.cf
smtp inet n - n - - smtpd
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=no
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=no
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_sasl_security_options=noanonymous
# -o milter_macro_daemon_name=ORIGINATING
smtp (port 25) need to be uncomment, many servers send on 25 port. submisison is for STARTTLS (port 587) smtps is for SSL/TLS (port 465)
DOVECOT CONF
dovecot.conf
protocols = imap
listen = *
#base_dir = /var/run/dovecot/
#instance_name = dovecot
#login_greeting = Dovecot ready.
#login_trusted_networks =
#login_access_sockets =
#auth_proxy_self =
#verbose_proctitle = no
#shutdown_clients = yes
#doveadm_socket_path = doveadm-server
#import_environment = TZ
dict {
#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
#expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}
!include conf.d/*.conf
!include_try local.conf
DOVECOT CONF
conf.d/10-ssl.conf
ssl = required
ssl_cert = </etc/pki/tls/certs/XXXXX.XX.chain.pem
ssl_key = </etc/pki/tls/private/XXXXX.XX.key
#ssl_key_password =
#ssl_ca =
#ssl_require_crl = yes
#ssl_client_ca_dir =
#ssl_client_ca_file =
#ssl_verify_client_cert = no
#ssl_cert_username_field = commonName
ssl_dh_parameters_length = 2048
ssl_protocols = !SSLv2
ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SSLv2:!SSLv3
ssl_prefer_server_ciphers = yes
#ssl_crypto_device =
What about the Webserver? For Nginx I use:
All modern browsers support this. Fast and secure.
For Apache 2.4 :
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/XXXXX.XX.crt
SSLCertificateKeyFile /etc/pki/tls/private/XXXXX.XX.key
SSLCertificateChainFile /etc/pki/tls/certs/XXXXX.XX.chain.pem
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
Header set Strict-Transport-Security "max-age=15552001"
All used browsers, who are updated (all except MS XP OS), support this.
On QualysSSL you can view your level of security : https://www.ssllabs.com/ssltest/analyze.html I have A+
Hi (it is not an issue, but maybe a good pratice)
I see many posts with SSL/TLS issue.
Maybe we will post TLS configuration that works ?