Sorry, I should note that this is for postfix 3.6.4.
Scott
> -----Original Message-----
> From: Scott Hollenbeck via Postfix-users <postfix-users@postfix.org>
> Sent: Wednesday, February 28, 2024 8:55 AM
> To: postfix-users@postfix.org
> Subject: [pfx] Configuration Settings for TLS 1.2 and 1.3 with No Weak
Ciphers
>
> Would someone please describe the configuration settings needed to support
> TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my
> configuration files:
>
> main.cf:
>
> smtpd_tls_cert_file=/etc/letsencrypt/live/mysite.net/fullchain.pem
> smtpd_tls_key_file=/etc/letsencrypt/live/mysite.net/privkey.pem
> smtpd_tls_security_level = may
> smtpd_tls_mandatory_ciphers = high
> smtpd_tls_protocols = >=TLSv1.2
> smtpd_tls_mandatory_protocols = >=TLSv1.2
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_tls_dh1024_param_file = /etc/ssl/private/dh2048.pem
> smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem
>
> master.cf:
>
> submission inet n - n - - smtpd
> -o syslog_name=postfix/submission
> -o smtpd_tls_security_level=encrypt
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>
> Here's what I see when I use nmap to retrieve the supported ciphers (note
> that there are only TLS 1.2 ciphers listed, and some are weak):
>
> $ nmap-ciphers 587 mysite.com
> Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 08:13 EST
> Nmap scan report for mysite.com (173.255.237.114)
> Host is up (0.00017s latency).
> Other addresses for mysite.com (not scanned):
> 2600:3c03::f03c:91ff:fe70:dbb
> rDNS record for 173.255.237.114: mysite.net
>
> PORT STATE SERVICE
> 587/tcp open submission
> | ssl-enum-ciphers:
> | TLSv1.2:
> | ciphers:
> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
> | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A
> | TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A
> | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
> | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A
> | TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A
> | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
> | TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A
> | TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A
> | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
> | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A
> | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
> | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A
> | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
> | TLS_DH_anon_WITH_AES_128_CBC_SHA - F
> | TLS_DH_anon_WITH_AES_128_CBC_SHA256 - F
> | TLS_DH_anon_WITH_AES_128_GCM_SHA256 - F
> | TLS_DH_anon_WITH_AES_256_CBC_SHA - F
> | TLS_DH_anon_WITH_AES_256_CBC_SHA256 - F
> | TLS_DH_anon_WITH_AES_256_GCM_SHA384 - F
> | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - F
> | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 - F
> | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - F
> | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 - F
> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
> | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
> | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
> | TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp256r1) - A
> | TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A
> | TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A
> | TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A
> | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
> | TLS_ECDH_anon_WITH_AES_128_CBC_SHA - F
> | TLS_ECDH_anon_WITH_AES_256_CBC_SHA - F
> | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
> | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
> | TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
> | TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A
> | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
> | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
> | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
> | TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
> | TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A
> | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
> | TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A
> | TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A
> | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
> | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A
> | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
> | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A
> | compressors:
> | NULL
> | cipher preference: client
> |_ least strength: F
>
> Nmap done: 1 IP address (1 host up) scanned in 2.17 seconds
> $
>
> Thanks for your guidance,
> Scott
>
> _______________________________________________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
