What is a good and (very) secure configuration for public postfix server nowadays?

Wed, 20 May 2015 08:03:13 -0700 

Hello,

I want to make a secure but still public mail server and would like to ask
if the following configuration (in regard of the cryptography used) would be
alright? I am not too sure about how many servers currently support TLS or
which security levels in general but I still want to be able to comunicate
with most of them. 

    smtpd_tls_mandatory_ciphers = high
    smtp_tls_mandatory_ciphers = high
    smtpd_tls_ciphers = high
    smtp_tls_ciphers = high
    smtp_tls_security_level = may
    smtpd_tls_security_level = may

    smtp_tls_protocols = !SSLv2, !SSLv3
    smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2, !SSLv3
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3

    smtp_tls_exclude_ciphers = aNULL, DES, RC4, MD5
    smtpd_tls_exclude_ciphers = aNULL, DES, RC4, MD5
    #hope this is enough since it is also added to the mandatory exclusions
    smtp_tls_exclude_ciphers = aNULL, DES, RC4, MD5
    smtpd_tls_exclude_ciphers = aNULL, DES, RC4, MD5

Also what happens with the upper configuration if the other server does not
support these standards? If I understood it correctly the
smtp(d)_tls_security_level = may option will jump back on even Plain Text if
needed. But wouldn't that mean that if I could have gotten at least e.g. RC4
instead of the Plain Text that it would have been better to not disable
them? So what is the most secure configuration then without loosing too much
compatibility with other *common* mail servers? (I'm kind of sure that there
is no perfect solution but hope at least for opinions)

Background: It is for a security oriented company, with pretty high security
standards BUT I also don't want any emails to get lost with this
configuration. Is there some compromise in sight?

I am also curious what the best options are for smtpd_recipient_restrictions
as well as for sender and helo. I can post my main.cf with more details if
needed.

Best regards,
Akimiya



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/What-is-a-good-and-very-secure-configuration-for-public-postfix-server-nowadays-tp76918.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Reply via email to