This document shows you how to generate and use a custom 2048bit diffie-hellman parameter for postfix and how to disable export cipher suites. This mitigates at least a part of the problem in diffie-hellman found in may 2015, see [0].
You need postfix version 2.2 or higher.
All commands should normally be run as root.
NOTE: Using 2048bit Diffie-Hellman-parameter as proposed by this manual breaks compatibility to some other software. See also [1]. If you need the compatibility, use 1024 instead of 2048, the essential part to mitigate the DH problem is the generation of a new parameter.
Please don't be confused by the use of “config[uration] param[eter]” (which means something in the postfix config file) and DH param[eter] (which means Diffie-Hellman parameter, essentially a big prime number or the file containing it).
Generation using openssl-dhparam.
NOTE: If you have a separate readable-by-root-only folder (which you should have in a sensible TLS setup) then change the file path below to put the file in that folder. Also substitute your path in all subsequent commands.
openssl dhparam -out /etc/postfix/dh2048.pem 2048
The 2048 at the end makes the dh parameter 2048 bits.
Ensure “root” is file owner and group.
You can skip this command if you already know (eg. from “ls -l <filename>”) the file has root:root owner/group.
chown root:root /etc/postfix/dh2048.pem
Set
r-- --- ---
(400) permissions for the param file. Nobody should have write or executable access. And read access should be restricted to root.
chmod 400 /etc/postfix/dh2048.pem
Postfix reads the file before switching to a less privileged user on startup, so if your postfix instance (or some of its daemons) is not running as root, the parameter file can still be read.
The config parameter contains “dh1024”, because until now 1024bit was recommended (see [1]). You can use a 2048bit file with this config parameter, postfix can handle that. Documentation: [2]
Add this line to your main.cf:
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
Maybe this configuration breaks compatibility to some older software. Use this only as a guideline and look up the parameters in case of doubt. See below for some additional information about the ciphers used in the config example.
You should already have a TLS configuration, check yours against this suggestion. The important part is to make sure you don't use export ciphers, which use dh parameters below 1024bit.
THIS IS NOT A FULL POSTFIX TLS CONFIGURATION!
## ciphers config (server side)
# Cipher security grade to use.
# Only for connections/services where TLS is set to mandatory
# (eg. for SASL connections), smtpd_tls_ciphers is the
# equivalent for non-mandatory connections
smtpd_tls_mandatory_ciphers = high
# set also non-mandatory to high.
smtpd_tls_ciphers = high
# Set protocols to not use
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
# security grade for ephemeral elliptic-curve Diffie-Hellman KEX
smtpd_tls_eecdh_grade = ultra
# Exclude unsafe ciphers.
smtpd_tls_exclude_ciphers =
NULL,
aNULL,
EXP,
SSLv2,
MD5,
DES,
RC4,
aECDH,
KRB5-DE5,
CBC3-SHA
## Client side
# Exclude unsafe ciphers.
smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
smtp_tls_mandatory_ciphers = high
smtp_tls_ciphers = $smtp_tls_mandatory_ciphers
# exclude unsafe protocols
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = $smtp_tls_mandatory_protocols
postfix reload
And you're done!
NULL
eNULL or NULL (synonymous) are ciphers without encryption.
aNULL
aNULL are ciphers without authentication. These begin with a big 'A' letter (eg. ADH-RC4-MD5).
EXP
EXP or EXPORT (synonymous) are the weakened export ciphers. These include ciphers with Diffie-Hellman parameters below 1024bit.
SSLv2
Old SSLv2 ciphers, you don't want to use them anymore.
On the other hand, these should already be disabled by the use of
smtpd_tls_ciphers = high and smtpd_tls[_mandatory]_protocols = !SSLv2, !SSLv3
MD5, DES, RC4
Old algorithms that are not considered secure anymore.
aECDH
All non-ephemeral elliptic curve Diffie-Hellman ciphers. Ephemeral means you generate a new keypair for every connection or session. Without ephemeral you have a static public key (sometimes used for authentication of your publickey by a third party - not the same as certificate signature by 3rd party).
Without “ephemeral” your connection is not perfect forward secrecy, so you definitively want to disable these ciphers.
KRB5-DE5, CBC3-SHA
Both are recommended to explicitly be disabled on the weakdh website [0]. KRB5 is Kerberos, normally not available unless you have additional Kerberos libraries installed. CBC3 is using 3DES. I don't know why exactly weakdh doesn't want these two. But disabling them won't hurt.
additional ciphers in the weakdh list
weakdh explicitly lists
EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA
in addition to my list.
But both are already excluded with
smtpd_tls_[mandatory_]protocols = !SSLv2, !SSLv3
If you need to have SSLv3 activated, add both to your excluded ciphers list.
This howto is Public Domain (CC-0). If you have suggestions for improvement of this document (NO support), mail to 0xBE53AA6C0175D01D
Version 2, 2015-05-22
[1] http://postfix.1071664.n5.nabble.com/Diffie-Hellman-parameters-tp63096p63098.html
[2] http://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file ====