Scott Hollenbeck via Postfix-users:
> Sorry, I should note that this is for postfix 3.6.4.
>
postconf -H | grep -E 'high|medium'
Wietse
>
> > -----Original Message-----
> > From: Scott Hollenbeck via Postfix-users <postfix-users@postfix.org>
> > Sent: Wednesday, February 28, 2024 8:55 AM
> > To: postfix-users@postfix.org
> > Subject: [pfx] Configuration Settings for TLS 1.2 and 1.3 with No Weak
> Ciphers
> >
> > Would someone please describe the configuration settings needed to support
> > TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my
> > configuration files:
> >
> > main.cf:
> >
> > smtpd_tls_cert_file=/etc/letsencrypt/live/mysite.net/fullchain.pem
> > smtpd_tls_key_file=/etc/letsencrypt/live/mysite.net/privkey.pem
> > smtpd_tls_security_level = may
> > smtpd_tls_mandatory_ciphers = high
> > smtpd_tls_protocols = >=TLSv1.2
> > smtpd_tls_mandatory_protocols = >=TLSv1.2
> > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> > smtpd_tls_dh1024_param_file = /etc/ssl/private/dh2048.pem
> > smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem
> >
> > master.cf:
> >
> > submission inet n - n - - smtpd
> > -o syslog_name=postfix/submission
> > -o smtpd_tls_security_level=encrypt
> > -o smtpd_sasl_auth_enable=yes
> > -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> >
> > Here's what I see when I use nmap to retrieve the supported ciphers (note
> > that there are only TLS 1.2 ciphers listed, and some are weak):
> >
> > $ nmap-ciphers 587 mysite.com
> > Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 08:13 EST
> > Nmap scan report for mysite.com (173.255.237.114)
> > Host is up (0.00017s latency).
> > Other addresses for mysite.com (not scanned):
> > 2600:3c03::f03c:91ff:fe70:dbb
> > rDNS record for 173.255.237.114: mysite.net
> >
> > PORT STATE SERVICE
> > 587/tcp open submission
> > | ssl-enum-ciphers:
> > | TLSv1.2:
> > | ciphers:
> > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
> > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
> > | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A
> > | TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A
> > | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
> > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
> > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
> > | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A
> > | TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A
> > | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
> > | TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A
> > | TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A
> > | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
> > | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A
> > | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
> > | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A
> > | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
> > | TLS_DH_anon_WITH_AES_128_CBC_SHA - F
> > | TLS_DH_anon_WITH_AES_128_CBC_SHA256 - F
> > | TLS_DH_anon_WITH_AES_128_GCM_SHA256 - F
> > | TLS_DH_anon_WITH_AES_256_CBC_SHA - F
> > | TLS_DH_anon_WITH_AES_256_CBC_SHA256 - F
> > | TLS_DH_anon_WITH_AES_256_GCM_SHA384 - F
> > | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - F
> > | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 - F
> > | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - F
> > | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 - F
> > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
> > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
> > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
> > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
> > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
> > | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
> > | TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp256r1) - A
> > | TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A
> > | TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A
> > | TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A
> > | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
> > | TLS_ECDH_anon_WITH_AES_128_CBC_SHA - F
> > | TLS_ECDH_anon_WITH_AES_256_CBC_SHA - F
> > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
> > | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
> > | TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
> > | TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A
> > | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
> > | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
> > | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
> > | TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
> > | TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A
> > | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
> > | TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A
> > | TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A
> > | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
> > | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A
> > | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
> > | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A
> > | compressors:
> > | NULL
> > | cipher preference: client
> > |_ least strength: F
> >
> > Nmap done: 1 IP address (1 host up) scanned in 2.17 seconds
> > $
> >
> > Thanks for your guidance,
> > Scott
> >
> > _______________________________________________
> > Postfix-users mailing list -- postfix-users@postfix.org
> > To unsubscribe send an email to postfix-users-le...@postfix.org
>
> _______________________________________________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
>
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
