From 261cddbf8e6c123558a3d35131a199e10f72d21b Mon Sep 17 00:00:00 2001 From: taziden Date: Fri, 26 Feb 2016 20:25:12 +0100 Subject: [PATCH 1/2] hardening postfix tls configuration --- data/templates/postfix/main.cf.sed | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/data/templates/postfix/main.cf.sed b/data/templates/postfix/main.cf.sed index 394e23e0..c1301f2e 100644 --- a/data/templates/postfix/main.cf.sed +++ b/data/templates/postfix/main.cf.sed @@ -31,16 +31,18 @@ smtpd_tls_auth_only=yes smtpd_tls_cert_file=/etc/ssl/certs/yunohost_crt.pem smtpd_tls_key_file=/etc/ssl/private/yunohost_key.pem smtpd_tls_CAfile = /etc/ssl/certs/ca-yunohost_crt.pem -smtpd_tls_exclude_ciphers = aNULL, MD5, DES, ADH, RC4 +smtpd_tls_exclude_ciphers = aNULL, MD5, DES, ADH, RC4, 3DES smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_loglevel=1 smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 smtpd_tls_mandatory_ciphers=high +smtpd_tls_eecdh_grade = ultra # -- TLS for outgoing connections # Use TLS if this is supported by the remote SMTP server, otherwise use plaintext. smtp_tls_security_level=may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers smtp_tls_loglevel=1 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for From 66ad33c285c83b7a9a24d1b9601067f1f31a431f Mon Sep 17 00:00:00 2001 From: taziden Date: Fri, 26 Feb 2016 20:28:27 +0100 Subject: [PATCH 2/2] [enh] also set smtp cipher to high --- data/templates/postfix/main.cf.sed | 1 + 1 file changed, 1 insertion(+) diff --git a/data/templates/postfix/main.cf.sed b/data/templates/postfix/main.cf.sed index c1301f2e..07fc0547 100644 --- a/data/templates/postfix/main.cf.sed +++ b/data/templates/postfix/main.cf.sed @@ -43,6 +43,7 @@ smtpd_tls_eecdh_grade = ultra smtp_tls_security_level=may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers +smtp_tls_mandatory_ciphers= $smtpd_tls_mandatory_ciphers smtp_tls_loglevel=1 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for