Best TLS configurations for RainLoop

[Raptormagnum]

Hi (it is not an issue, but maybe a good pratice)

I see many posts with SSL/TLS issue.

Maybe we will post TLS configuration that works ?

[Raptormagnum]

POSTFIX CONF

main.cf

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix

mail_owner = postfix

myhostname = CHANGEIT
mydomain = CHANGEIT
myorigin = $mydomain

inet_interfaces = XXX.XXX.XXX.XXX, 127.0.0.1
inet_protocols = ipv4

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

unknown_local_recipient_reject_code = 550

mynetworks = XXX.XXX.XXX.XXX/XX, 127.0.0.0/8

relay_domains =
relayhost =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

home_mailbox = Maildir/

smtpd_banner = $myhostname ESMTP

debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES

message_size_limit = 20971520

virtual_alias_domains = XXXXX.XX, XXXXX.XX
virtual_alias_maps = hash:/etc/postfix/virtual

smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_loglevel = 2
smtpd_tls_cert_file = /etc/pki/tls/certs/XXXXX.XX.chain.pem
smtpd_tls_key_file = /etc/pki/tls/private/XXXXX.XX.key
smtpd_tls_security_level = may
tls_high_cipherlist = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, LOW, 3DES, MD5, EXP, PSK, SRP, DSS, RC4, SSLv2, SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_eecdh_grade = ultra
tls_eecdh_ultra_curve = secp384r1

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_client_restrictions = permit_mynetworks,permit
smtpd_recipient_restrictions = permit_mynetworks,permit_auth_destination,permit_sasl_authenticated,reject

[Raptormagnum]

POSTFIX CONF

master.cf

smtp      inet  n       -       n       -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
submission inet n       -       n       -       -       smtpd
#  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=no
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
#  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=no
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sasl_security_options=noanonymous
#  -o milter_macro_daemon_name=ORIGINATING

smtp (port 25) need to be uncomment, many servers send on 25 port. submisison is for STARTTLS (port 587) smtps is for SSL/TLS (port 465)

[Raptormagnum]

DOVECOT CONF

dovecot.conf

protocols = imap

listen = *

#base_dir = /var/run/dovecot/
#instance_name = dovecot
#login_greeting = Dovecot ready.
#login_trusted_networks =

#login_access_sockets =
#auth_proxy_self =
#verbose_proctitle = no
#shutdown_clients = yes
#doveadm_socket_path = doveadm-server
#import_environment = TZ

dict {
  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}

!include conf.d/*.conf
!include_try local.conf

[Raptormagnum]

DOVECOT CONF

conf.d/10-ssl.conf

ssl = required

ssl_cert = </etc/pki/tls/certs/XXXXX.XX.chain.pem
ssl_key = </etc/pki/tls/private/XXXXX.XX.key
#ssl_key_password =

#ssl_ca =
#ssl_require_crl = yes
#ssl_client_ca_dir =
#ssl_client_ca_file =
#ssl_verify_client_cert = no
#ssl_cert_username_field = commonName

ssl_dh_parameters_length = 2048
ssl_protocols = !SSLv2
ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SSLv2:!SSLv3
ssl_prefer_server_ciphers = yes

#ssl_crypto_device =

[digititus]

What about the Webserver? For Nginx I use:

• ssl_protocols TLSv1.2;
• ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256;
• ssl_prefer_server_ciphers on;

All modern browsers support this. Fast and secure.

[Raptormagnum]

For Apache 2.4 :

SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/XXXXX.XX.crt
SSLCertificateKeyFile /etc/pki/tls/private/XXXXX.XX.key
SSLCertificateChainFile /etc/pki/tls/certs/XXXXX.XX.chain.pem

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite  EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

Header set Strict-Transport-Security "max-age=15552001"

All used browsers, who are updated (all except MS XP OS), support this.

On QualysSSL you can view your level of security : https://www.ssllabs.com/ssltest/analyze.html I have A+