Warning: Declaration of action_plugin_indexmenu::register(&$controller) should be compatible with DokuWiki_Action_Plugin::register(Doku_Event_Handler $controller) in /home/httpd/vhosts/scratchbook.ch/wiki.scratchbook.ch/lib/plugins/indexmenu/action.php on line 18 Warning: Cannot modify header information - headers already sent by (output started at /home/httpd/vhosts/scratchbook.ch/wiki.scratchbook.ch/lib/plugins/indexmenu/action.php:0) in /home/httpd/vhosts/scratchbook.ch/wiki.scratchbook.ch/inc/auth.php on line 495 Warning: Cannot modify header information - headers already sent by (output started at /home/httpd/vhosts/scratchbook.ch/wiki.scratchbook.ch/lib/plugins/indexmenu/action.php:0) in /home/httpd/vhosts/scratchbook.ch/wiki.scratchbook.ch/inc/actions.php on line 210 How to harden your postfix setup after dhgate [Scratchbook]

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
weakdh:postfix-harden [2015/05/22 12:36]
komsat [Details about ciphers to be excluded] 		weakdh:postfix-harden [2015/06/18 17:06] (current)
komsat
Line 77: Line 77:
  
 <​code>​ <​code>​
- ## ciphers config (server side) +## ciphers config (server side)
-  +
- # Cipher security grade to use. +
- # Only for connections/​services where TLS is set to mandatory +
- # (eg. for SASL connections),​ smtpd_tls_ciphers is the +
- # equivalent for non-mandatory connections +
- ​smtpd_tls_mandatory_ciphers = high +
-  +
- # set also non-mandatory to high. +
- ​smtpd_tls_ciphers = high +
-  +
- # Set protocols to not use +
- ​smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 +
- ​smtpd_tls_protocols = $smtpd_tls_mandatory_protocols +
-  +
- # security grade for ephemeral elliptic-curve Diffie-Hellman KEX +
- ​smtpd_tls_eecdh_grade = ultra +
-  +
- # Exclude unsafe ciphers. +
- ​smtpd_tls_exclude_ciphers = +
-         ​NULL,​ +
-         ​aNULL,​ +
-         ​EXP,​ +
-         ​SSLv2,​ +
-         ​MD5,​ +
-         ​DES,​ +
-         ​RC4,​ +
-         ​aECDH,​ +
-         ​KRB5-DE5,​ +
-         ​CBC3-SHA+
  
 +# Cipher security grade to use.
 +# Only for connections/​services where TLS is set to mandatory
 +# (eg. for SASL connections),​ smtpd_tls_ciphers is the
 +# equivalent for non-mandatory connections
 +smtpd_tls_mandatory_ciphers = high
 +
 +# set also non-mandatory to high.
 +smtpd_tls_ciphers = high
 +
 +# Set protocols to not use
 +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
 +smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
 +
 +# security grade for ephemeral elliptic-curve Diffie-Hellman KEX
 +smtpd_tls_eecdh_grade = ultra
 +
 +# Exclude unsafe ciphers.
 +smtpd_tls_exclude_ciphers =
 +        NULL,
 +        aNULL,
 +        EXP,
 +        SSLv2,
 +        MD5,
 +        DES,
 +        RC4,
 +        aECDH,
 +        KRB5-DE5,
 +        CBC3-SHA
  ## Client side  ## Client side
-  + 
- # Exclude unsafe ciphers. +# Exclude unsafe ciphers. 
- ​smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers +smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers 
- ​smtp_tls_mandatory_ciphers = high +smtp_tls_mandatory_ciphers = high 
- ​smtp_tls_ciphers = $smtp_tls_mandatory_ciphers +smtp_tls_ciphers = $smtp_tls_mandatory_ciphers 
-  + 
- # exclude unsafe protocols +# exclude unsafe protocols 
- ​smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 +smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 
- ​smtp_tls_protocols = $smtp_tls_mandatory_protocols+smtp_tls_protocols = $smtp_tls_mandatory_protocols
 </​code>​ </​code>​
  
Line 124: Line 123:
 <​code>​postfix reload</​code>​ <​code>​postfix reload</​code>​
  
 +And you're done!
 ===== Details about ciphers to be excluded ===== ===== Details about ciphers to be excluded =====
  
Line 131: Line 130:
  
 <​code>​aNULL</​code>​ <​code>​aNULL</​code>​
-aNULL (synonymous) ​are ciphers without authentication.+aNULL are ciphers without authentication.
 These begin with a big '​A'​ letter (eg. ADH-RC4-MD5). These begin with a big '​A'​ letter (eg. ADH-RC4-MD5).
  
Line 160: Line 159:
 libraries installed. CBC3 is using 3DES. I don't know why exactly weakdh libraries installed. CBC3 is using 3DES. I don't know why exactly weakdh
 doesn'​t want these two. But disabling them won't hurt. doesn'​t want these two. But disabling them won't hurt.
 +
 +**additional ciphers in the weakdh list**
  
 weakdh explicitly lists weakdh explicitly lists
Line 173: Line 174:
 improvement of this document (NO support), mail to 0xBE53AA6C0175D01D improvement of this document (NO support), mail to 0xBE53AA6C0175D01D
  
-Version ​1, 2015-05-20+Version ​2, 2015-05-22
  
 [0] https://​weakdh.org/​ [0] https://​weakdh.org/​
Line 179: Line 180:
 [1] http://​postfix.1071664.n5.nabble.com/​Diffie-Hellman-parameters-tp63096p63098.html [1] http://​postfix.1071664.n5.nabble.com/​Diffie-Hellman-parameters-tp63096p63098.html
  
-[2] http://​www.postfix.org/​postconf.5.html#​smtpd_tls_dh1024_param_file+[2] http://​www.postfix.org/​postconf.5.html#​smtpd_tls_dh1024_param_file ​==== 
weakdh/postfix-harden.1432291014.txt · Last modified: 2015/05/22 12:36 by komsat
Back to top
GNU Free Documentation License 1.3
chimeric.de = chi`s home Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0