Open gsauthof opened 4 years ago
I agree. I just updated my configuration and was wondering why the smtp_*
variants are missing.
smtp_tls_security_level = may
👍 smtp_tls_protocols = >=TLSv1.2
(the equivalent syntax since Postfix 3.6, the default for `smtphere is
>=TLSv1`_)Note:
The following values are already Postfix defaults:
smtpd_tls_mandatory_ciphers = medium tls_preempt_cipherlist = no
It's ok to be explicit with security settings that are still the defaults. A user may be applying the suggested config to an already configured instance where these may have been configured differently by mistake or intentionally.
IIRC:
tls_preempt_cipherlist = yes
is fine for port 25 where your cipher support may be more broad for compatibility. The server provides preference order and the client must choose the first one it is compatible with.tls_preempt_cipherlist = no
can be acceptable on submission(s) ports 587 and 465 where you may enforce TLS and restrict the cipher list for authenticating clients to those that are only forward secret compatible (EDIT: May have been AEAD specific.. it's been a while since I looked into this). Letting the client choose is better here.While mandatory ciphers is set to medium
, some may adjust this to high
to alter the high
cipher list if they customize the cipher list (against the advice of Postfix). Which can be useful when you use a security level of encrypt
.
The config only focuses on main.cf
, and not master.cf
where the submission(s) ports will apply their overrides for the additional security expectations. smtpd_tls_auth_only = yes
presently used in the generator shouldn't be relevant if port 25 doesn't offer SASL auth (which it shouldn't, but you do see this in the wild), it's implicit when using a security level of encrypt
, by default SASL auth is disabled as per smtpd_sasl_auth_enable
.
smtpd_tls_exclude_ciphers
can be relevant when you're comfortable dismissing the official Postfix docs advice to avoid configuring it. DMS sets this (see git blame
history for reference, this explains SEED / CAMELLIA, and this for SHA1).
Take this generated config: https://ssl-config.mozilla.org/#server=postfix&version=3.5.6&config=intermediate&openssl=1.1.1g&guideline=5.6
The following values are already Postfix defaults:
I've checked the Postfix documentation and
postconf -d
output on Fedora 32.Then there are some settings for when doing mandatory TLS, i.e.
although mandatory TLS isn't configured - cf. the
smtpd_tls_security_level = may
line which configures opportunistic TLS. Thus, those options aren't effective here.On the other hand, the sister options for opportunistic TLS are missing, i.e. this one is missing:
Also, the generated config only includes
smtpd_*
options and nosmtp_*
variants. Note that opportunistic TLS also makes sense when the mail server is sending mail, i.e. e.g. when SMTP relaying mail to a destination server. Thus, the config is missing at least the following smtp options: