On Sat, Feb 07, 2015 at 10:18:11PM -0700, LuKreme wrote:
> # postconf -n | grep _tls_
> smtp_tls_security_level = may
> smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
Fine so far.
> smtpd_tls_ciphers = high
This is too "high" for opportunistic TLS. Anything more than
"medium" is too restrictive for opportunistic TLS on port 25.
On the submission port (587) you can be more strict.
> # is smtp_tls_exclude needed?
> smtpd_tls_exclude_ciphers = aNULL, DES, 3DES, MD5, DES+MD5, RC4
The defaults are fine. Why do you feel compelled to "tune" these?
> smtpd_tls_loglevel = 2
Too verbose. Stick with "1"
> smtpd_tls_protocols = TLSv1, !SSLv2, !SSLv3
Why exclude TLSv1.1 and TLSv1.2? See the documentation.
The default is fine, but if you must tweak, exclude just
"SSLv2".
smtpd_tls_protocols = !SSLv2
On the submission port (587) you can be more strict.
> smtpd_tls_session_cache_database = btree:$data_directory/smtpd_sessions
Mostly unnecessary with Postfix 2.10 or later which supports session
tickets instead.
> smtpd_tls_session_cache_timeout = 1800s
No reason to reduce this from the default.
> # openssl s_client -connect 127.0.0.1:993
Postfix does not do IMAP, that's Dovecot or similar.
--
Viktor.
