On Sat, May 23, 2015 at 08:01:15AM -0700, Grant wrote:
> Currently I have the following in main.cf:
>
> smtp_tls_exclude_ciphers = aNULL
> smtpd_tls_exclude_ciphers = aNULL
This is unnecessary.
> According to weakdh.org/sysadmin.html, I should have this:
Some clueless people post cargo-cult nonsense on topics they don't
understand. Ignore most of their advice, Postfix has fairly sensible
default settings, although we'll probably be adjusting the TLS
settings a bit soon, to disable EXPORT and LOW by default, they
are no longer legitimately used in practice.
Thus I would set:
smtp_tls_ciphers = medium
smtpd_tls_ciphers = medium
> smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
> aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
And not most of these, just "aKRB5" is good to disable. The Kerberos
ciphers in TLS are obsolete, and will be removed from OpenSSL in
upcoming releases. If you O/S vendor enables KRB5 support in OpenSSL
(I never do when I build OpenSSL), then consider:
smtp_tls_exclude_ciphers = aKRB5
smtpd_tls_exclude_ciphers = aKRB5
> Should I use the same dhparams.pem file that I use for nginx, or
> generate a new one for postfix?
http://www.postfix.org/FORWARD_SECRECY_README.html#quick-start
May as well have separate dhparam files, then no need to worry
about compatibility between browsers and SMTP clients.
--
Viktor.
