Perfect answer, I appreciate it. I will do like You adviced. I have few questions more about configuration: "> smtpd_sasl_tls_security_options=noanonymous,noplaintext
Unless you're doing GSSAPI, most of the other options require a store of the actual unhashed passwords on the server, and far worse than "plaintext". I would not use "noplaintext"." 1. I saw that GSSAPI is some kind of authentication like SASL. In my configuration I haven't lines for this. It's not default thing, yes? 2. I test my server using Internal PCI Scan and there are some vulnerabilities related to weak ciphers. That's why I used smtpd_tls_exclude_ciphers and smtp_tls_exclude_ciphers with -> aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA. I would just have nice secured server but - of course - not extreme. Default values are: smtpd_tls_exclude_ciphers = RC4, aNULL smtp_tls_exclude_ciphers = RC4, aNULL Should they be like above? "Better, just disable SASL without TLS." 3. How to do this? I would not crashed postfix configuration. I still learn how to do something better. Unfortunately I can depend only on knowledge from network and smart people. Internal PCI Scan says that: - SMTP Service Cleartext Login Permitted for 25 / tcp / smtp - SSL Medium Strength Cipher Suites Supported for 25 / tcp / smtp and 465 / tcp / smtp - SSL 64-bit Block Size Cipher Suites Supported (SWEET32) for 25 / tcp / smtp and 465 / tcp / smtp They are marked as medium vulnerability. Should I try leave it as it is without fear? 2017-04-27 17:29 GMT+02:00 Viktor Dukhovni <postfix-us...@dukhovni.org>: > On Thu, Apr 27, 2017 at 06:55:37AM +0200, Poliman - Serwis wrote: > > > Is between dovecot and postfix some communication? > > None to the IMAP service, and especially nothing that involves > smtpd(8) TLS settings. > > > tls_ssl_options = no_ticket, no_compression > > You've been reading and following some idiot's guide to "securing" > TLS with Postfix, leave this and most of the below settings at > their default values. > > > tls_preempt_cipherlist = yes > > That's fine. > > > smtpd_sasl_security_options=noanonymous,noplaintext > > Better, just disable SASL without TLS. > > > > smtpd_sasl_tls_security_options=noanonymous,noplaintext > > Unless you're doing GSSAPI, most of the other options require a > store of the actual unhashed passwords on the server, and far worse > than "plaintext". I would not use "noplaintext". > > > smtpd_tls_mandatory_ciphers = high > > Bad idea, set "medium" instead, default in recent versions of Postfix. > > > smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem > > This is fine. > > > #instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I > don't > > know what should be setup > > smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, > > aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, > ECDHE-RSA-DES-CBC3-SHA, > > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA > > Leave this parameter at its default value. Instead, if that is > not *already* the default, set: > > smtpd_tls_protocols = !SSLv2, !SSLv3 > > > smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, > aECDH, > > EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, > > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA > > The above is inane. Leave this parameter at its default value. > Instead, make sure that you have (likely already the default): > > smtp_tls_ciphers = medium > > Only if you desperately want a smaller TLS ClientHello, try: > > smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5 > > Those are not needed for interoperability and just add bloat. You > may also add RC4, after monitoring your server for a while (a month > or more) and checking your logs to make sure that no legitimate > peers require RC4 (look for TLS connections using RC4 in your logs). > > > Before setup those lines in main.cf, dovecot didn't cry any error in > log. > > Dovecot errors are the result of configuration changes you've made in > Dovecot. > > -- > Viktor. > -- *Pozdrawiam / Best Regards* *Piotr Bracha* *tel. 534 555 877* *ser...@poliman.pl <ser...@poliman.pl>*
