navigation
search
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
weakdh:postfix-harden [2015/05/22 12:32] komsat [Step 2: Set permissions] |
weakdh:postfix-harden [2015/06/18 17:06] (current) komsat |
||
|---|---|---|---|
| Line 56: | Line 56: | ||
| The config parameter contains "dh1024", because until now 1024bit | The config parameter contains "dh1024", because until now 1024bit | ||
| - | was recommended (see link at top). You can use a 2048bit file with | + | was recommended (see [1]). You can use a 2048bit file with |
| this config parameter, postfix can handle that. Documentation: [2] | this config parameter, postfix can handle that. Documentation: [2] | ||
| Line 77: | Line 77: | ||
| <code> | <code> | ||
| - | ## ciphers config (server side) | + | ## ciphers config (server side) |
| - | + | ||
| - | # Cipher security grade to use. | + | |
| - | # Only for connections/services where TLS is set to mandatory | + | |
| - | # (eg. for SASL connections), smtpd_tls_ciphers is the | + | |
| - | # equivalent for non-mandatory connections | + | |
| - | smtpd_tls_mandatory_ciphers = high | + | |
| - | + | ||
| - | # set also non-mandatory to high. | + | |
| - | smtpd_tls_ciphers = high | + | |
| - | + | ||
| - | # Set protocols to not use | + | |
| - | smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 | + | |
| - | smtpd_tls_protocols = $smtpd_tls_mandatory_protocols | + | |
| - | + | ||
| - | # security grade for ephemeral elliptic-curve Diffie-Hellman KEX | + | |
| - | smtpd_tls_eecdh_grade = ultra | + | |
| - | + | ||
| - | # Exclude unsafe ciphers. | + | |
| - | smtpd_tls_exclude_ciphers = | + | |
| - | NULL, | + | |
| - | aNULL, | + | |
| - | EXP, | + | |
| - | MD5, | + | |
| - | DES, | + | |
| - | SSLv2, | + | |
| - | RC4, | + | |
| - | aECDH, | + | |
| - | KRB5-DE5, | + | |
| - | CBC3-SHA | + | |
| + | # Cipher security grade to use. | ||
| + | # Only for connections/services where TLS is set to mandatory | ||
| + | # (eg. for SASL connections), smtpd_tls_ciphers is the | ||
| + | # equivalent for non-mandatory connections | ||
| + | smtpd_tls_mandatory_ciphers = high | ||
| + | |||
| + | # set also non-mandatory to high. | ||
| + | smtpd_tls_ciphers = high | ||
| + | |||
| + | # Set protocols to not use | ||
| + | smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 | ||
| + | smtpd_tls_protocols = $smtpd_tls_mandatory_protocols | ||
| + | |||
| + | # security grade for ephemeral elliptic-curve Diffie-Hellman KEX | ||
| + | smtpd_tls_eecdh_grade = ultra | ||
| + | |||
| + | # Exclude unsafe ciphers. | ||
| + | smtpd_tls_exclude_ciphers = | ||
| + | NULL, | ||
| + | aNULL, | ||
| + | EXP, | ||
| + | SSLv2, | ||
| + | MD5, | ||
| + | DES, | ||
| + | RC4, | ||
| + | aECDH, | ||
| + | KRB5-DE5, | ||
| + | CBC3-SHA | ||
| ## Client side | ## Client side | ||
| - | + | ||
| - | # Exclude unsafe ciphers. | + | # Exclude unsafe ciphers. |
| - | smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers | + | smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers |
| - | smtp_tls_mandatory_ciphers = high | + | smtp_tls_mandatory_ciphers = high |
| - | smtp_tls_ciphers = $smtp_tls_mandatory_ciphers | + | smtp_tls_ciphers = $smtp_tls_mandatory_ciphers |
| - | + | ||
| - | # exclude unsafe protocols | + | # exclude unsafe protocols |
| - | smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 | + | smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 |
| - | smtp_tls_protocols = $smtp_tls_mandatory_protocols | + | smtp_tls_protocols = $smtp_tls_mandatory_protocols |
| </code> | </code> | ||
| Line 124: | Line 123: | ||
| <code>postfix reload</code> | <code>postfix reload</code> | ||
| + | And you're done! | ||
| ===== Details about ciphers to be excluded ===== | ===== Details about ciphers to be excluded ===== | ||
| Line 131: | Line 130: | ||
| <code>aNULL</code> | <code>aNULL</code> | ||
| - | aNULL (synonymous) are ciphers without authentication. | + | aNULL are ciphers without authentication. |
| These begin with a big 'A' letter (eg. ADH-RC4-MD5). | These begin with a big 'A' letter (eg. ADH-RC4-MD5). | ||
| Line 141: | Line 140: | ||
| Old SSLv2 ciphers, you don't want to use them anymore. | Old SSLv2 ciphers, you don't want to use them anymore. | ||
| On the other hand, these should already be disabled by the use of | On the other hand, these should already be disabled by the use of | ||
| - | <code>smtpd_tls_ciphers = high</code> and | + | ''smtpd_tls_ciphers = high'' and ''smtpd_tls[_mandatory]_protocols = !SSLv2, !SSLv3'' |
| - | <code>smtpd_tls[_mandatory]_protocols = !SSLv2, !SSLv3</code> | + | |
| + | <code>MD5, DES, RC4</code> | ||
| + | Old algorithms that are not considered secure anymore. | ||
| <code>aECDH</code> | <code>aECDH</code> | ||
| Line 158: | Line 159: | ||
| libraries installed. CBC3 is using 3DES. I don't know why exactly weakdh | libraries installed. CBC3 is using 3DES. I don't know why exactly weakdh | ||
| doesn't want these two. But disabling them won't hurt. | doesn't want these two. But disabling them won't hurt. | ||
| + | |||
| + | **additional ciphers in the weakdh list** | ||
| weakdh explicitly lists | weakdh explicitly lists | ||
| Line 163: | Line 166: | ||
| in addition to my list. | in addition to my list. | ||
| But both are already excluded with | But both are already excluded with | ||
| - | <code>smtpd_tls_[mandatory_]protocols = !SSLv2, !SSLv3</code> | + | ''smtpd_tls_[mandatory_]protocols = !SSLv2, !SSLv3'' |
| If you need to have SSLv3 activated, add both to your excluded ciphers list. | If you need to have SSLv3 activated, add both to your excluded ciphers list. | ||
| Line 171: | Line 174: | ||
| improvement of this document (NO support), mail to 0xBE53AA6C0175D01D | improvement of this document (NO support), mail to 0xBE53AA6C0175D01D | ||
| - | Version 1, 2015-05-20 | + | Version 2, 2015-05-22 |
| [0] https://weakdh.org/ | [0] https://weakdh.org/ | ||
| Line 177: | Line 180: | ||
| [1] http://postfix.1071664.n5.nabble.com/Diffie-Hellman-parameters-tp63096p63098.html | [1] http://postfix.1071664.n5.nabble.com/Diffie-Hellman-parameters-tp63096p63098.html | ||
| - | [2] http://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file | + | [2] http://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file ==== |
