On 08/19/2015 07:51 AM, Viktor Dukhovni wrote:
On Wed, Aug 19, 2015 at 12:09:13PM +0200, L.P.H. van Belle wrote:
Try it like this, there is no need for combining the certificates.
Actually, there is. It avoids the need to worry about the CApath,
which can then be left empty.
if [ -d /etc/ssl/private ]; then
mkdir -p /etc/ssl/private
chmod 710 /etc/ssl/private
fi
I ended up specifying smtpd_tls_CAfile
which has both the intermediary certs.
That works well and is not difficult to do
The DH parameters are public data, no need for "private".
# Postfix enabled
postconf -e "smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA"
postconf -e "smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA"
There's no need to exclude aNULL, it is disabled automatically as
necessary. Also DES and EXPORT are already excluded from "medium".
This is not a well thought out list of exclusions. A few of the
above don't even exist (to be excluded).
No cargo-cult settings please.
This is what I am using
smtpd_tls_exclude_ciphers = RC4, 3DES, IDEA
I still have to go through.
For port 25 I don't feel like I need to be as picky - e-mail should only
be considered private when it is encrypted, and DKIM can verify it
hasn't been modified since leaving my server.
But port 587 I wish I could be super picky about allowed ciphers because
that's where users authenticate (though there's not a way I no of yet
anyway to stop them from using 25 except when their ISP blocks it) and
authentication does need to be kept private.
