From 46d14bcdf0cad7532f5a972c01f9c044d7023e83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philipp=20D=C3=B6rfler?= Date: Tue, 19 Sep 2017 23:54:40 +0200 Subject: [PATCH 1/2] Increased security of TLS encryption --- mail-server/postfix.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix index 5ef634f..daae1d3 100644 --- a/mail-server/postfix.nix +++ b/mail-server/postfix.nix @@ -83,6 +83,21 @@ in smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination + + # TLS settings, inspired by https://github.com/jeaye/nix-files + smtpd_tls_security_level = may # Submission by mail clients is handled in submissionOptions + smtpd_tls_eecdh_grade = ultra # strong might suffice and is computationally less expensive + smtpd_tls_protocols = !SSLv2, !SSLv3 # Disable predecessors to TLS + smtpd_tls_auth_only = yes # Allowing AUTH on a non encrypted connection poses a security risk + smtpd_tls_loglevel = 1 # Log only a summary message on TLS handshake completion + + # Disable weak ciphers as reported by https://ssl-tools.net + # https://serverfault.com/questions/744168/how-to-disable-rc4-on-postfix + smtpd_tls_exclude_ciphers = RC4, aNULL + smtp_tls_exclude_ciphers = RC4, aNULL + + # Configure a non blocking source of randomness + tls_random_source = dev:/dev/urandom ''; submissionOptions = From 4e5dd5db9560599406ce576814f5c356816df0c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philipp=20D=C3=B6rfler?= Date: Wed, 20 Sep 2017 09:00:17 +0200 Subject: [PATCH 2/2] Removed superflous tls_auth_only = yes --- mail-server/postfix.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix index daae1d3..39ad90a 100644 --- a/mail-server/postfix.nix +++ b/mail-server/postfix.nix @@ -66,7 +66,6 @@ in # Extra Config smtpd_banner = $myhostname ESMTP NO UCE - smtpd_tls_auth_only = yes disable_vrfy_command = yes message_size_limit = 20971520