On 19/1/2012 8:54 μμ, Mark Alan wrote:
This will give you a fairly secure submission:
submission inet n - - - - smtpd
-o syslog_name=postfix-submission
-o tls_preempt_cipherlist=yes
-o smtpd_tls_mandatory_ciphers=high
-o smtpd_tls_exclude_ciphers=DES,3DES,MD5,aNULL
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
NOTES:
- in the submission line please note the second dash '-' instead of
your 'n' (it is safe and wil spare you from a lot of chroot problems)
- if using a Postfix newer than v.2.2 you should use
smtpd_tls_security_level=encrypt , instead of smtpd_enforce_tls=yes.
You can check postfix version using: postconf | grep mail_version
- smtpd_tls_exclude_ciphers is used to exclude some of the weaker
ciphers. Or, even better: DES,3DES,MD5,aNULL,AES128,CAMELLIA128
To check what you will be getting execute:
openssl ciphers -v 'HIGH:!DES:!3DES:!MD5:!aNULL@STRENGTH'
openssl ciphers -v 'HIGH:!DES:!3DES:!MD5:!aNULL:!AES128:!CAMELLIA128@STRENGTH'
Thank you for the recommendations Mark.
I am running Postfix 2.8.3 (compiled from source) on Centos 5.7 64bit.
OpenSSL package is: openssl-0.9.8e-20.el5.
Here is the output (common for both commands you suggested):
# openssl ciphers -v
'HIGH:!DES:!3DES:!MD5:!aNULL:!AES128:!CAMELLIA128@STRENGTH'
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
What do we get from it?
Nick