Afternoon postfix users. I am trying to improve the encrypted
connection to my mail server running postfix 2.7.0-1ubuntu0.2 but doing
tests with https://starttls.info/ I am getting very low scores (E grade)
for a number of reasons despite making what I though were necessary
changes
1) "There is a self-signed certificate in the trust chain. It may be a
configuration problem"
I have a 4096bit RSA cert signed by Comodo and configured in main.cf as
follows
smtpd_tls_cert_file=/etc/ssl/private/mydomain_org.crt
smtpd_tls_key_file=/etc/ssl/private/mydomain_org.key
smtp_tls_CAfile = /etc/ssl/private/mydomain_org.ca-bundle
The .key and .csr were generated by me and the .csr send to Comodo.
Comodo sent back the .crt and the .ca-bundle
The contents of my /etc/ssl/private is:
-rw-r--r-- 1 root root 4101 2014-04-12 13:17
mydomain_org.ca-bundle
-rw-r--r-- 1 root root 2108 2014-04-12 13:17 mydomain_org.crt
-rw-r--r-- 1 root root 1411 2014-04-12 13:17 mydomain_org.csr
-rw------- 1 root root 2994 2014-04-12 13:17 mydomain_org.key
I use the same certificate for website too and do not get "self-signed
certificate" errors. Is there something obvious I did wrong here?
2) Protocol: Supports SSLV2
3) Key exchange: Anonymous Diffie-Hellman is accepted. This is
suspectible to Man-in-the-Middle attacks.
I am not sure where this gets set so I can disable it
4) Cipher: Weakest accepted cipher: 0
I am not sure where to set this to a higher bit rate. Strongest is 256
so a low of 128 would be good.
¬Juan
