On Thu, Jan 14, 2016 at 12:06:43PM -0500, Curtis Villamizar wrote:
> /usr/local/sbin/postconf -c /etc/postfix -n | grep tls
>
> smtp_tls_cert_file = /etc/postfix/cert.pem
> smtp_tls_key_file = /etc/postfix/key.pem
Usually best to not configure client certificates.
> smtp_tls_ciphers = high
Usually best to leave this at "medium". This is opportunistic
TLS, and if high fails, you'll send cleartext, which is NOT
stronger than medium.
> smtp_tls_exclude_ciphers = aNULL MD5 DES
Mostly harmless, but not ideal. Instead try:
smtp_tls_exclude_ciphers =
MD5, SRP, PSK, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
> smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1.1
This is a terrible idea, it results in unconditional use of
TLS 1.0 (the hole in that list). If you really want to force
TLSv1.2, then you must also disable TLSv1
> smtp_tls_protocols = !SSLv2 !SSLv3 !TLSv1.1
This is worse, your opportunistic TLS is constrained to
TLSv1.
> smtpd_tls_ask_ccert = yes
To you do anything with client certs? If not, don't request
them.
> smtpd_tls_cert_file = /etc/postfix/cert.pem
> smtpd_tls_key_file = /etc/postfix/key.pem
What kind of key is that? RSA or ECDSA? Can you
post the output of:
openssl x509 -in /etc/postfix/cert.pem -noout -text | egrep -v ':.*:.*:'
> smtpd_tls_ciphers = high
This is a bad idea, leave it at medium.
> smtpd_tls_exclude_ciphers = aNULL MD5 DES
This is not needed.
> smtpd_tls_loglevel = 2
Level 1 is just right, 2 is too much.
> smtpd_tls_mandatory_ciphers = high
> smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1.1
Less harmful on servers, but what do you have against TLSv1.1?
It is not worse than TLSv1, in fact somewhat better. Choose
one of:
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
> smtpd_tls_protocols = !SSLv2 !SSLv3 !TLSv1.1
For opportunistic TLS leave TLSv1, TLSv1.1 and TLSv1.2 enabled.
smtpd_tls_protocols = !SSLv2 !SSLv3
you're changing too many carefully chosen default settings,
and doing more harm than good.
> smtpd_tls_session_cache_timeout = 300
Longer is better, especially with Postfix 2.11+ and session
tickets. Let the default stand.
> tls_dane_digest_agility = on
> tls_dane_digests = sha512 sha256
> tls_dane_trust_anchor_digest_enable = yes
> tls_wildcard_matches_multiple_labels = yes
These are defaults, don't force them on explicitly.
> tls_disable_workarounds = 0xFFFFFFFF
Are you sure that's a good idea? This is opportunistic TLS.
> tls_preempt_cipherlist = yes
> tls_ssl_options = NO_COMPRESSION
These are fine.
> /usr/local/bin/openssl version -a
>
> OpenSSL 1.0.2e 3 Dec 2015
OK.
> mta1 (secondary MX)
>
> OpenSSL 1.0.2d 9 Jul 2015
Upgrade this one perhaps.
--
Viktor.
