Skynet/misc_nixos-mailserver
7
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

postfix: configure preferred curves and disable FFDHE

Browse source 
This aligns with the intermediate configuration recommended by Mozilla.
This commit is contained in:
Martin Weinelt 2025-06-13 03:02:26 +02:00
parent e27326d317
commit 3828b00dea
No known key found for this signature in database
GPG key ID: 87C1E9888F856759
1 changed files with 14 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

14
mail-server/postfix.nix
View file

@ -296,6 +296,20 @@ in
smtp_tls_exclude_ciphers = "eNULL, aNULL";
smtp_tls_mandatory_exclude_ciphers = "eNULL, aNULL";
# Restrict and prioritize the following curves in the given order
# Excludes curves that have no widespread support, so we don't bloat the handshake needlessly.
# https://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves
# https://ssl-config.mozilla.org/#server=postfix&version=3.10&config=intermediate&openssl=3.4.1&guideline=5.7
tls_eecdh_auto_curves = [
"X25519"
"prime256v1"
"secp384r1"
];
# Disable FFDHE on TLSv1.3 because it is slower than elliptic curves
# https://www.postfix.org/postconf.5.html#tls_ffdhe_auto_groups
tls_ffdhe_auto_groups = [ ];
# As long as all cipher suites are considered safe, let the client use its preferred cipher
tls_preempt_cipherlist = false;