postfix: refactor and prune TLS settings
- Groups settings between server and client - Uses a range comparator for supported TLS versions - Prune excluded primitives to what affects the supported TLS versions
This commit is contained in:
parent
e0ab4eeb67
commit
e27326d317
1 changed files with 28 additions and 22 deletions
|
@ -240,11 +240,6 @@ in
|
|||
# Avoid leakage of X-Original-To, X-Delivered-To headers between recipients
|
||||
lmtp_destination_recipient_limit = "1";
|
||||
|
||||
# Opportunistic DANE support
|
||||
# https://www.postfix.org/postconf.5.html#smtp_tls_security_level
|
||||
smtp_dns_support_level = "dnssec";
|
||||
smtp_tls_security_level = "dane";
|
||||
|
||||
# sasl with dovecot
|
||||
smtpd_sasl_type = "dovecot";
|
||||
smtpd_sasl_path = "/run/dovecot2/auth";
|
||||
|
@ -266,33 +261,44 @@ in
|
|||
"check_policy_service unix:/run/dovecot2/quota-status"
|
||||
];
|
||||
|
||||
# TLS settings, inspired by https://github.com/jeaye/nix-files
|
||||
# Submission by mail clients is handled in submissionOptions
|
||||
# TLS for incoming mail is optional
|
||||
smtpd_tls_security_level = "may";
|
||||
|
||||
# Disable obselete protocols
|
||||
smtpd_tls_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
|
||||
smtp_tls_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
|
||||
smtpd_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
|
||||
smtp_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
|
||||
# But required for authentication attempts
|
||||
smtpd_tls_auth_only = true;
|
||||
|
||||
smtp_tls_ciphers = "high";
|
||||
# TLS versions supported for the SMTP server
|
||||
smtpd_tls_protocols = ">=TLSv1.2";
|
||||
smtpd_tls_mandatory_protocols = ">=TLSv1.2";
|
||||
|
||||
# Require ciphersuites that OpenSSL classifies as "High"
|
||||
smtpd_tls_ciphers = "high";
|
||||
smtp_tls_mandatory_ciphers = "high";
|
||||
smtpd_tls_mandatory_ciphers = "high";
|
||||
|
||||
# Disable deprecated ciphers
|
||||
smtpd_tls_mandatory_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
|
||||
smtpd_tls_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
|
||||
smtp_tls_mandatory_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
|
||||
smtp_tls_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
|
||||
# Exclude cipher suites with undesirable properties
|
||||
smtpd_tls_exclude_ciphers = "eNULL, aNULL";
|
||||
smtpd_tls_mandatory_exclude_ciphers = "eNULL, aNULL";
|
||||
|
||||
# Opportunistic DANE support when delivering mail to other servers
|
||||
# https://www.postfix.org/postconf.5.html#smtp_tls_security_level
|
||||
smtp_dns_support_level = "dnssec";
|
||||
smtp_tls_security_level = "dane";
|
||||
|
||||
# TLS versions supported for the SMTP client
|
||||
smtp_tls_protocols = ">=TLSv1.2";
|
||||
smtp_tls_mandatory_protocols = ">=TLSv1.2";
|
||||
|
||||
# Require ciphersuites that OpenSSL classifies as "High"
|
||||
smtp_tls_ciphers = "high";
|
||||
smtp_tls_mandatory_ciphers = "high";
|
||||
|
||||
# Exclude ciphersuites with undesirable properties
|
||||
smtp_tls_exclude_ciphers = "eNULL, aNULL";
|
||||
smtp_tls_mandatory_exclude_ciphers = "eNULL, aNULL";
|
||||
|
||||
# As long as all cipher suites are considered safe, let the client use its preferred cipher
|
||||
tls_preempt_cipherlist = false;
|
||||
|
||||
# Allowing AUTH on a non encrypted connection poses a security risk
|
||||
smtpd_tls_auth_only = true;
|
||||
|
||||
# Log only a summary message on TLS handshake completion
|
||||
smtp_tls_loglevel = "1";
|
||||
smtpd_tls_loglevel = "1";
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue