Skynet/misc_nixos-mailserver
7
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'nuke-sha1' into 'master'

Browse source 
postfix: disable SHA1 for SMTP connections

See merge request simple-nixos-mailserver/nixos-mailserver!420
This commit is contained in:
Martin Weinelt 2025-06-18 16:54:39 +00:00
commit ed6d699eb4
1 changed files with 4 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

8
mail-server/postfix.nix
View file

@ -340,8 +340,8 @@ in
smtpd_tls_mandatory_ciphers = "high"; smtpd_tls_mandatory_ciphers = "high";
# Exclude cipher suites with undesirable properties # Exclude cipher suites with undesirable properties
smtpd_tls_exclude_ciphers = "eNULL, aNULL"; smtpd_tls_exclude_ciphers = "SHA1, eNULL, aNULL";
smtpd_tls_mandatory_exclude_ciphers = "eNULL, aNULL"; smtpd_tls_mandatory_exclude_ciphers = "SHA1, eNULL, aNULL";
# Opportunistic DANE support when delivering mail to other servers # Opportunistic DANE support when delivering mail to other servers
# https://www.postfix.org/postconf.5.html#smtp_tls_security_level # https://www.postfix.org/postconf.5.html#smtp_tls_security_level
@ -357,8 +357,8 @@ in
smtp_tls_mandatory_ciphers = "high"; smtp_tls_mandatory_ciphers = "high";
# Exclude ciphersuites with undesirable properties # Exclude ciphersuites with undesirable properties
smtp_tls_exclude_ciphers = "eNULL, aNULL"; smtp_tls_exclude_ciphers = "SHA1, eNULL, aNULL";
smtp_tls_mandatory_exclude_ciphers = "eNULL, aNULL"; smtp_tls_mandatory_exclude_ciphers = "SHA1, eNULL, aNULL";
# Restrict and prioritize the following curves in the given order # Restrict and prioritize the following curves in the given order
# Excludes curves that have no widespread support, so we don't bloat the handshake needlessly. # Excludes curves that have no widespread support, so we don't bloat the handshake needlessly.