Yet again I found my mail server not actually working. Found a better, wider cipher list. And I enforced encryption on both c2s and s2s connections.
This commit is contained in:
parent
50708d5465
commit
b7f60c974b
@ -129,12 +129,12 @@ block article
|
||||
p It's pretty clear. We chose dovecot as our SASL, set path to it withing /var/spool, and enable it. Then we set option to not allow anonymous connections. Set our domain for SASL, and wether let the clients with obsolete version of AUTH command in or not, we chose not to.
|
||||
p It's time for encryption, lets specify a list of high ciphers to use:
|
||||
pre
|
||||
| tls_high_cipherlist = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
|
||||
p High means just that those ciphers are strong. I took them from a file #[code options-ssl-nginx.conf] generated by certbot, and ditched 128 byte key size.
|
||||
| tls_high_cipherlist = ECDHE:DHE:kGOST:!aNULL:!eNULL:!RC4:!MD5:!3DES:!AES128:!CAMELLIA128:!ECDHE-RSA-AES256-SHA:!ECDHE-ECDSA-AES256-SHA
|
||||
p High means just that those ciphers are strong. I took this ciphers set from #[a(href="https://pub.nethence.com/security/ciphers") https://pub.nethence.com/security/ciphers].
|
||||
p Lets do client part of encryption.
|
||||
pre
|
||||
| smtp_use_tls = yes
|
||||
| smtp_tls_security_level = may
|
||||
| smtp_tls_security_level = encrypt
|
||||
| smtp_tls_note_starttls_offer = yes
|
||||
| smtp_tls_connection_reuse = yes
|
||||
| smtp_tls_key_file = /etc/letsencrypt/live/example.org/privkey.pem
|
||||
@ -142,22 +142,20 @@ block article
|
||||
| smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
|
||||
| smtp_tls_protocols = $smtp_tls_mandatory_protocols
|
||||
| smtp_tls_mandatory_ciphers = high
|
||||
| smtp_tls_exclude_ciphers = aNULL, MD5, CAMELLIA
|
||||
p First we enable it with a #[code smtp_use_tls] option. Set security level (#[code smtp_tls_security_level]) to may, since not every SMTP server out there have encryption. Noting servers of our ability to use encryption with option #[code smtp_tls_note_starttls_offer]. Set to reuse connection instead of opening the new one each time.
|
||||
p First we enable it with a #[code smtp_use_tls] option. Setting security level with (#[code smtp_tls_security_level]) to encrypt enforces use of encryption. Noting servers of our ability to use encryption with option #[code smtp_tls_note_starttls_offer]. Set to reuse connection instead of opening the new one each time.
|
||||
p #[code smtp_tls_key_file] and #[code smtp_tls_cert_file] are paths to our encryption key and certificate.
|
||||
p #[code smtp_tls_mandatory_protocols] and #[code smtp_tls_protocols] here we disallow old vulnerable protocols to use. Here only TLS version 1.2 and 1.3 are allowed.
|
||||
p In #[code smtp_tls_mandatory_ciphers] we declare to use only good secure cyphers. And in #[code smtp_tls_exclude_ciphers] we exclude the most weak one.
|
||||
p In #[code smtp_tls_mandatory_ciphers] we declare to use only good secure cyphers.
|
||||
p With server part everything is the same, just a few more options added:
|
||||
pre
|
||||
| smtpd_use_tls = yes
|
||||
| smtpd_tls_security_level = may
|
||||
| smtpd_tls_security_level = encrypt
|
||||
| smtpd_tls_auth_only = yes
|
||||
| smtpd_tls_key_file = /etc/letsencrypt/live/example.org/privkey.pem
|
||||
| smtpd_tls_cert_file = /etc/letsencrypt/live/example.org/fullchain.pem
|
||||
| smtpd_tls_mandatory_protocols = $smtp_tls_mandatory_protocols
|
||||
| smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
|
||||
| smtpd_tls_mandatory_ciphers = $smtp_tls_mandatory_ciphers
|
||||
| smtpd_tls_exclude_ciphers = $smtp_tls_exclude_ciphers
|
||||
| smtpd_tls_loglevel = 1
|
||||
| smtpd_tls_received_header = yes
|
||||
| smtpd_tls_session_cache_timeout = 3600s
|
||||
|
Loading…
Reference in New Issue
Block a user